mod_limitipconn doesn't work, because there is no completed request for a connection. There was a handshake and part of the request is sent, but does Apache see that as a connection? I think not.
Apache (and any other server) should expect a full request within a time frame. A headerset should not take long to load over a normal network. If the header is not completed after a while, disconnect the request. This also helps for requests that have not been setup for a DOS too.
I'm not an expert, but for me, I would look in to the headercompletion part and not into limiting connections or whatever. If I would have the knowledge, I would try to hack it in the Apache sourcecode, but I can't.
mod_limitipconn doesn't work, because there is no completed request for a connection. There was a handshake and part of the request is sent, but does Apache see that as a connection? I think not.
You're confusing this with a SYN flood, which works at the IP level, not the userspace level, and for which a connection limit in user space would indeed be ineffective.
In this attack, data is already transmitted, but it is incomplete, so the server can't act upon the request, and apache does hold that connection.
Apache (and any other server) should expect a full request within a time frame. A headerset should not take long to load over a normal network. If the header is not completed after a while, disconnect the request. This also helps for requests that have not been setup for a DOS too.
I'm not an expert, but for me, I would look in to the headercompletion part and not into limiting connections or whatever. If I would have the knowledge, I would try to hack it in the Apache sourcecode, but I can't.
- Unomi -