Slowloris mitigation patch for Apache 2.2.x

When the number of worker processes/threads reaches the maximum set by configuration and:

All sockets that have been in read state for over one second and any other socket that has not changed state for over two minutes will be disconnected. Ideally, these times should be configurable, but that's for another version of the patch.

Obviously, this is a rather brute force approach to the problem. It simply disconnects sockets once the server gets in trouble. Yes, some of the legitimate sockets may get disconnected here as well. However, if a Slowloris attack is successful, Apache will serve no legitimate clients. With this patch, large number of legitimate clients will be served.

The general idea behind this patch is that a well configured server will seldom reach the limit on the number of worker processes/threads. The patch applies to prefork and worker MPMs.


The above patch will apply cleanly after some new functionality is applied to worker MPM (see: So, you will need to apply the following patch first:

Webalizer patch for mod_logio

This Webalizer 2.01-10 patch intoduces necessary logic for presenting the numbers collected by mod_logio in the reports. There are no special configuration options required, just patch the Webalizer, configure it with the options you prefer, build it, install it and use it.

Folks involved with Debian pointed out to me recently that the above may not be correct. Below is the patch for the above patch that fixes that issue (

Apache 2.0 mod_logio.c

mod_logio.c is Apache 2.0 module that uses filters to determine the number of input and output bytes per request. The patch also contains additions to, which enable this code to actually build and log. The patch is against Apache 2.0.43.

To enable the module, do this in the Apache source directory:

make distclean
./configure --enable-logio [...]
make install

The quick configuration is:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

The last two numbers in each record of the log file will be the number of bytes received and sent per request, including headers, status lines and request itself. The logging is done before SSL/TLS decryption on input and after SSL/TLS encryption on output, so the numbers should be very accurate. The module is released under Apache Software Licence. As of 28/09/2002, this module has been committed to Apache core, so if you're getting any release later then 2.0.43, you most likely already have it and therefore don't need this patch.

Below is the only patch you need.

These patches are now obsolete. DO NOT USE THEM! They are provided for historical purposes only.

The following patch fixes the output number of bytes for the connections that were interrupted (usually by the client). It should also handle pipelining of requests properly. You need to apply the above mod_logio patch first. It is only available for Apache 2.0.43.

This patch is now obsolete. DO NOT USE IT! It is provided for historical purposes only.

Apache I/O patches

UPDATE 28 Sep 2002: I do not recommend these patches any more because they are not entirely accurate. If you need this functionality, use mod_logio.c instead. This module only works in Apache 2.0.

These patches are against Apache 1.3.26 and Apache 2.0.40. They provide input and output bytes logging per request using the algorithm based upon mod_accounting by Simone Tellini Unfortunately the algorithm is not entirely correct, although close enough. Hopefully, once the code becomes entirely correct, it might become part of offical Apache 2.0. That's the goal, at least.

To use the functionality provided by the patches, have something like this in your Apache configuration file

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

The last two numbers in each record of the log file will be the number of bytes received and sent per request, including headers, status lines and request itself.