Good question. One of my clients got hit with a slowloris attack. This is a DDoS attach whereby the perp opens connections to the webserver and holds them open for as long as possible. Almost zero effort/traffic for them = big win for little outlay. What I'm configuring mod_qos to do is to shut down these connections by just dropping those doing very little.

unfortunately, mod_qos isn't available through the usual channels, so it's best just to build it yourself. To do this, you need a copy of apxs2, which I got from using apt to download the apache2-threaded-dev package. Download the code from sourceforge ( http://sourceforge.net/projects/mod-qos/ ). As we speak, the current version is 9.5, but it's being improved all the time.


tar xvfz mod_qos-9.5-src.tar.gz
apxs2 -ci mod_qos.c
chmod 644 /usr/lib/apache2/modules/mod_qos.so


You now need to enable and configure it, so open up your favourite editor, and edit /etc/apache2/mods-available/qos.load


LoadModule qos_module /usr/lib/apache2/modules/mod_qos.so


and then do the same for /etc/apache2/mods-available/qos.conf


# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400


a2enmod qos followed by /etc/init.d/apache2 reload and you're protected.

(These instructions are for debian lenny, will probably work directly under ubuntu, but will need a bit of tweaking under CentOS/RHEL )