Skip to main content

How to protect your Apache server from DoS attacks (denial-of-service) using the quality of service (QoS) module on Ubuntu 16.04

There are a lot of attacks that can be performed to a server when it's not correctly configured or doesn't expect such kind of attack at all. One of the most known and easy to implement, is the Slowloris attack. This algorithm is designed so that a single machine (Linux/Unix based machine since Windows limits how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it's threads as they patiently wait for more data.

Some servers may have a smaller tolerance for timeouts than others, all depends of your configuration, but the algorithm can compensate for that by customizing timeouts. This kind of attack does not consume a lot of resources or bandwith at all.The load-impact is pretty low, however the http(s) services quits serving really fast. mod_qos provides you with some opportunities to scale the number of used connections on your server to defend it from the attack according to the bandwith limits. This package is available in the Ubuntu repositories so it should be pretty easy to install and configure on this environment.

In this short article, we will explain you how to install and configure the QoS module of apache in your Ubuntu 16.04 server.

1. Install mod_qos module

As first step, access your server through the terminal, update the repositories and install the module with the following command:

# Update repos
sudo apt-get update

# Install the apache extension
sudo apt-get install libapache2-mod-qos

After installing the module, it will register and enable itself automatically. Quality of service implements control mechanisms to provide different priority to different users, applications, and data connections. It is used to guarantee a certain level of performance to data resources. The term quality of service is often used in the field of wide area network protocols (e.g. ATM) and telephony (e.g. VoIP), but rarely in conjunction with web applications. mod_qos is a quality of service module for the Apache web server implementing control mechanisms that can provide different levels of priority to different HTTP requests. Example situations where web applications require QoS:

  • More resources are consumed if request processing by an application takes a long time, e.g. when request processing includes time consuming database queries.
  • Oversubscription of link capabilities due to many concurrent clients uploading or downloading data.
  • Penetration of the web server by attackers (DoS).

For more information about the mod_qos module of Apache, please visit the official website at SourceForge here.

For Plesk based servers

After the installation of the module through the command line, the module registers and activates itself automatically, so if you try to access the apache settings on a Plesk based server, you will see the extension on the list:

Plesk Apache QoS quality of Service DoS Protection

So you can enable/disable it dinamically with just a checkbox on the graphic user interface of Plesk.

2. Configure module

The installation of the module will create a configuration file that is stored in the mods-available directory of apache, you can edit it quickly with nano using:

# Edit the qos.conf file with your favorite terminal editor, we'll use nano
nano /etc/apache2/mods-available/qos.conf

This will open the conf file of the module on the editor, here you need to change it's content to the following one, optimize and change these values according to your needs:

To describe shortly what we are doing, is limiting the number of simultaneously inbound connections from a single IP. This will prevent automatically an user from creating more than x requests (specified at QS_SrvMaxConnPerIP) at the same time from the same device/network. This is not a problem at all when there are more than x request at the same server from real persons as long as their connection isn't working in the same way the Slowloris attack does, so if your application has access from more users than the specified at this property, they will be able to access it as long as it's not a Slow HTTP request. Wonderful, isn't !?

<IfModule qos_module>
   # handle connections from up to 100000 different IPs
   QS_ClientEntries 100000
   # allow only 50 connections per IP
   QS_SrvMaxConnPerIP 50
   # limit maximum number of active TCP connections limited to 256
   MaxClients 256
   # disables keep-alive when 180 (70%) TCP connections are occupied
   QS_SrvMaxConnClose 180
   # minimum request/response speed 
   # (deny slow clients blocking the server, keeping connections open without requesting anything
   QS_SrvMinDataRate 150 1200
</IfModule>

These may need to be adjusted depending on the characteristics of the server, e.g MaxClients may need to be an integer multiple of ThreadsPerChild. Apache 2.4 does not allow mod_qos to set QS_SrvMinDataRate. Add these or similar settings to the Apache configuration, either in a separate included file, or in the main Apache configuration file. Restart the server and verify that this approach mitigates a Slowloris attack.

Save changes to the file and restart apache using the following command:

sudo service apache2 restart

Now, the extension should be enabled and working with the given settings. But, how can i test that it works !? Primarily, your website should be accesible in the browser, if it works, then the configuration has been set up properly. For a fully functional test, we recommend you to perform by your own a Slow HTTP attack to the configured server using any tool for this, we wrote a pretty interesting tutorial of how to run this attack on a server using SlowHTTPTest in Kali Linux and you can find it here.

Happy coding !

Comments

Popular posts from this blog

How to use Ngx-Charts in Angular ?

Charts helps us to visualize large amount of data in an easy to understand and interactive way. This helps businesses to grow more by taking important decisions from the data. For example, e-commerce can have charts or reports for product sales, with various categories like product type, year, etc. In angular, we have various charting libraries to create charts.  Ngx-charts  is one of them. Check out the list of  best angular chart libraries .  In this article, we will see data visualization with ngx-charts and how to use ngx-charts in angular application ? We will see, How to install ngx-charts in angular ? Create a vertical bar chart Create a pie chart, advanced pie chart and pie chart grid Introduction ngx-charts  is an open-source and declarative charting framework for angular2+. It is maintained by  Swimlane . It is using Angular to render and animate the SVG elements with all of its binding and speed goodness and uses d3 for the excellent math functions, scales, axis and shape ge

JavaScript new features in ES2019(ES10)

The 2019 edition of the ECMAScript specification has many new features. Among them, I will summarize the ones that seem most useful to me. First, you can run these examples in  node.js ≥12 . To Install Node.js 12 on Ubuntu-Debian-Mint you can do the following: $sudo apt update $sudo apt -y upgrade $sudo apt update $sudo apt -y install curl dirmngr apt-transport-https lsb-release ca-certificates $curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - $sudo apt -y install nodejs Or, in  Chrome Version ≥72,  you can try those features in the developer console(Alt +j). Array.prototype.flat && Array.prototype. flatMap The  flat()  method creates a new array with all sub-array elements concatenated into it recursively up to the specified depth. let array1 = ['a','b', [1, 2, 3]]; let array2 = array1.flat(); //['a', 'b', 1, 2, 3] We should also note that the method excludes gaps or empty elements in the array: let array1

Understand Angular’s forRoot and forChild

  forRoot   /   forChild   is a pattern for singleton services that most of us know from routing. Routing is actually the main use case for it and as it is not commonly used outside of it, I wouldn’t be surprised if most Angular developers haven’t given it a second thought. However, as the official Angular documentation puts it: “Understanding how  forRoot()  works to make sure a service is a singleton will inform your development at a deeper level.” So let’s go. Providers & Injectors Angular comes with a dependency injection (DI) mechanism. When a component depends on a service, you don’t manually create an instance of the service. You  inject  the service and the dependency injection system takes care of providing an instance. import { Component, OnInit } from '@angular/core'; import { TestService } from 'src/app/services/test.service'; @Component({ selector: 'app-test', templateUrl: './test.component.html', styleUrls: ['./test.component