Slowloris vulnerability

Traffic server is "likely vulnerable" to slowloris (see https://nmap.org/nsedoc/scripts/http-slowloris-check.html) in both reverse and forward proxy mode.

Has anyone investigated this yet? Is there any plan to do anything about it? I appreciate the nature of the vulnerability means fully fixing it is likely impossible, I'm just trying to find out if there's an official position on the issue.

Thanks.

[zwoop]

I think think you can set a timeout (proxy.config.http.transaction_active_timeout_in) which doesn't care if data is being sent or not (it's a "hard" timeout on an active connection).

[thelounge-zz]

this is REALLY a problem easily to fix on httpd with https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html (RequestReadTimeout header=5-15,MinRate=500 body=20,MinRate=500)

the problem of slowloris is that the client sends some bytes of data and so it's not a idle connection, we face currently multiple times many hundret connections to the backendserver and there is no way in trafficserver to migitate this

proxy.config.http.transaction_no_activity_timeout_in to a very low value would stop security scans to alert the ATS vulnerability but at the same time breaking every application which takes some time to respond

the current timeout configs are terrible

16:04:00 - request start
16:05:00 - still no repsone while expected
16:09:00 - Proxy: Inactivity Timeout

WTF - that's likely the "Timeout 30" but i strongly doubt httpd waits 5 minutes to close the backend connection and so for whatever reason "proxy.config.http.transaction_no_activity_timeout_out" get triggerd

20170821.16h09m03s CONNECT: could not connect to ... for 'http://example.com/timeout.php' (setting last failure time)
20170821.16h09m03s RESPONSE: sent ... status 504 (Connection Timed Out) for 'http://example.com/timeout.php'

and after that you pretend "could not connect [INACTIVE_TIMEOUT]" to follow up requests which would hahve been served promptly (at least only for that domain and not the other 200 on the same origin IP)

CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 5
CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 5
CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 300
CONFIG proxy.config.http.transaction_active_timeout_in INT 900
CONFIG proxy.config.http.transaction_active_timeout_out INT 0
CONFIG proxy.config.http.accept_no_activity_timeout INT 1
CONFIG proxy.config.http.background_fill_active_timeout INT 0
CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0