slowloris, accf_http and POST requests

Norbert Papke npapke at
Mon Jun 22 16:14:13 UTC 2009

On June 22, 2009, Ruben de Groot wrote:
> Can enybody explain why the http accept filter only works on GET/HEAD
> requests?
> The reason I ask is I was checking up on the slowloris DOS tool
> ( and, like others before me,
> found that the -httpready switch (which uses POST instead of GET) renders
> the accf_http module useless as a protection against this kind of attack.

With the POST request, the client sends additional data after the header.  
This additonal data is the form data (the x-www-form-urlencoded encoded 
name-value pairs).  The filter will allow the request to proceed to the 
application after the header as been received but before the form data has 
been received.

A "slowloris" attack could exploit this fact by sending a complete header but 
then slowing doling out the form data.

To protect against this scenario, the filter would need to be modified to 
collect the form data as well.  Of course, it doesn't stop there.  The filter 
would also have to deal with multi-part forms.

Disclaimer: This is based on cursory reading of the code.


-- Norbert Papke.
   npapke at
Protecting your Internet's level playing field

More information about the freebsd-questions mailing list