Mitigating Slow HTTP Denial of Service Attacks on Nginx

These attacks exploit the server’s resource allocation for each connection, consuming connection pools, workers, or memory.

1. Mitigation Strategies (Nginx Level Defense)

1. Limit Request Header and Body Timeouts

Set reasonable timeout values to prevent long-term connection occupation.

http {
    # Limit the time to read client request headers (to prevent slow header attacks)
    client_header_timeout 10s;

    # Limit the time to read client request bodies (to prevent slow POST attacks)
    client_body_timeout 10s;

    # Close the connection if the client is unresponsive for a long time
    send_timeout 10s;
}

2. Limit Request Body Size

Prevent attackers from consuming memory with large POST requests:

http {
    client_max_body_size 10M;
}

3. Limit Concurrent Connections and Rate

Use <span>limit_conn</span> and <span>limit_req</span> modules:

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    limit_conn addr 10; # Maximum 10 concurrent connections per IP

    limit_req_zone $binary_remote_addr zone=req_limit:10m rate=5r/s;
    limit_req zone=req_limit burst=10 nodelay; # 5 requests per second
}

4. Enable Keepalive Timeout Limits

Prevent clients from holding connections for too long:

http {
    keepalive_timeout 15s;
    keepalive_requests 100;
}

5. Disable Unnecessary Slow Client Compatibility

Sometimes it is necessary to disable support for HTTP/1.0 or specific headers to reduce the attack surface:

server {
    if ($http_user_agent ~* "slowloris") {
        return 403;
    }
}

6. Enable Firewall Layer Protection (Recommended)

Implement connection and rate limits at the OS level to significantly mitigate attacks:

Linux <span>iptables</span> Example:

# Limit the rate of new connections per IP
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j DROP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 10 -j DROP

7. Use Reverse Proxy Layer or WAF

For example:

• • Cloudflare / Tencent Cloud Web Firewall / Alibaba Cloud WAF — Automatically identifies slow connection attacks.
• • Nginx Proxy / CDN Cache Layer — Shields outer requests, protecting the origin server.

8. Enable Nginx Worker Connection Protection

Ensure that workers are not overwhelmed by a single IP:

events {
    worker_connections 1024;
    multi_accept on;
}

2. Diagnosis and Monitoring

Slow connections can be detected using the following command:

netstat -an | grep :80 | awk '{print $6}' | sort | uniq -c

If a large number of <span>SYN_RECV</span> or <span>ESTABLISHED</span> connections are found that are not being released for a long time, it is indicative of a slow attack.

3. Additional Hardening (Advanced)

• • Use fail2ban to automatically ban suspicious IPs;
• • Configure systemd socket timeout;
• • Add rate limiting to POST or upload interfaces (e.g., Nginx upload module, Lua rate limiting logic);
• • Enable HTTP/2 (which can automatically reuse connections, mitigating the impact of slow connections).

Previous Reviews

• 100 High-Frequency Linux Operations Commands, Recommended for Collection!

• Differences Between GPU and CPU

• Comprehensive Guide to Firewalld: Principles + Practice, Easily Master Linux Firewall!

• Common Network Commands for Linux Operations

• Differences Between TLS and SSL

• Common Commands for Kirin OS V10

• Docker Cleanup of Unused Images or Images Tagged as None

• Is the Service Problematic When Tomcat Thread Count Exceeds 350?

• Percona Toolkit to Solve MySQL Master-Slave Synchronization Issues

• Differences Between Chip Architectures: X86, ARM, RISC-V, MIPS, POWERPC, SPARC

• What Are the Master Components of K8S? What Is the Role of Each Component?