On Sat, Jun 20, 2009 at 03:33:40PM +0300, luben karavelov wrote:

> J??r??me Loyet wrote:
> >this attack works great on apache but I was unable, yet, to make it
> >works on nginx (0.8.3).
> >
>
> On nginx it exhuases the available sockets. My setup is nginx-0.7.58
> with cofig: :
>
> worker_processes 4;
> worker_rlimit_nofile 5000;
> events {
> worker_connections 2048;
> use epoll;
> }
>
>
> and without the fixes I could DoS the server with:
> ./slowloris.pl -dns photomoment.bg -timeout 30 -num 10000 -tcpto 5
>
> exhausts available sockets and the server stops replying to new requests.

5000 and 2048 are too small values in modern Internet, I use usually
about 200,000.

You need to increase
1) OS sockets limit,
2) OS network memory limits (buffers, etc.)
3) OS files limit,
4) OS per process files limit (worker_rlimit_nofile),
5) and finally, nginx's worker_connections.


--
Igor Sysoev
http://sysoev.ru/en/