Frequently Asked Questions
Q: The original version of Slowloris had a limits of ~130 open connections when running on Windows. Does PyLoris have this limitation?
A: No, I have personally tested PyLoris with over 6000 connections and see no reason why it couldn't use more than that.
Q: I heard that PyLoris + Tor can only open ~30 connections. Is this correct?
A: No. I have successfully run PyLoris through a TOR proxy with over 3000 simultaneous connections.
Q: Isn't this form of attack just a SYN flood?
A: No; in a SYN flood you make half open connections. Mitigating such an attack only involves limting the number of half opened connections. PyLoris establishes full, valid connections at a very low bandwidth in order to use up all available connections on servers that restrict them.
Q: What about ipchains, mod_antiloris, and mod_noloris?
A: The iptables "fix" as well as mod_noloris both work by monitoring the number of concurrent connections from individual IP addresses. PyLoris can circumvent this by running through TOR. The Apache module mod_antiloris dynamically adjusts the timeout value on Apache servers. However, as per the Apache documentation: "The Timeout directive currently defines the amount of time Apache will wait for three things:
- The total amount of time it takes to receive a GET request.
- The amount of time between the receipt of TCP packets on a POST or PUT request.
- The amount of time between ACKs on transmission of TCP packets in responses."
Therefore, specifying a POST request as opposed to a GET request will nullify the affect of mod_antiloris.
Q: What about the Worker and Event MPMs?
A: Both the Worker and Event MPMs use more resources for maintaining connections than PyLoris uses to create them. Therefore, the odds are stacked against these Multi-Processing Modules.