Are golang http servers(or can you make them) safe against slowloris DoS attacks?

1,957 views
Skip to first unread message

Ed Pelc

unread,
Jan 4, 2015, 5:39:37 PM1/4/15
to golan...@googlegroups.com
I was reading about some different types of DoS attacks and found a story about how one computer was able to issue a few hundred requests that were artificially prolonged which would essentially DoS servers. This is known as a slowloris attack and can be applied to many protocols.

Naturally I wanted to ensure I was safe and I went googling about slowloris and go. However there are sadly very few things that came up having to do with go. Notably there was an issue from 2011 which appears to have been fixed. Theres also a couple of old posts in the golang mailing list if you search for slow loris but nothing recent and they don't really confirm how or if you can fix this(besides putting something like nginx in front of your server).

So does anyone know if this really has been fixed, and if so how can I configure the proper read timeouts or if I even have too/should configure them. I've found the http server has read/write timeout fields but most of the slowloris related content I found mention Idle read/write timeouts being how this is exploited. Anyways any clarification or help would be greatly appreciated, and at the very least maybe I popped this issue into your mind as like I said before this attack can be incorporated into many other protocols but I was wondering about http.

James Bardin

unread,
Jan 4, 2015, 6:51:44 PM1/4/15
to golan...@googlegroups.com
Using the server's read and write timeouts is the default way to prevent this sort of attack. They are not idle timeouts, they are deadlines that apply to each request.

Brad Fitzpatrick

unread,
Jan 4, 2015, 7:17:13 PM1/4/15
to James Bardin, golang-nuts
Yes, set the Server.ReadTimeout (http://golang.org/pkg/net/http/#Server) for paranoid, Internet-facing servers. The default value doesn't have a timeout.

Go in general isn't as susceptible to Slowloris because goroutines are so much cheaper than e.g. Apache processes.

Even more paranoid users can implement custom policies via Server.ConnState (see http://golang.org/pkg/net/http/#ConnState) for max connections per-IP, per-state, etc.


On Sun, Jan 4, 2015 at 3:51 PM, James Bardin <j.ba...@gmail.com> wrote:
Using the server's read and write timeouts is the default way to prevent this sort of attack. They are not idle timeouts, they are deadlines that apply to each request.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ed Pelc

unread,
Jan 4, 2015, 8:10:13 PM1/4/15
to golan...@googlegroups.com, j.ba...@gmail.com
Thank you for the info this will definitely help my paranoia.
Reply all
Reply to author
Forward
0 new messages