Information
The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout and a minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional 1 second for each N bytes received. The recommended setting is to have a maximum timeout of 40 seconds or less. Keep in mind that for SSL/TLS virtual hosts the time for the TLS handshake must fit within the timeout.
Rationale:
Setting a request header timeout is vital for mitigating Denial of Service attacks based on slow requests. The slow request attacks are particularly lethal and relatively easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies. Starting in June 2009 with the Slow Loris DoS attack, which used a slow GET request as published by Robert Hansen (RSnake) on his blog http://ha.ckers.org/slowloris/. Later in November 2010 at the OWASP App Sec DC conference Wong Onn Chee demonstrated a slow POST request attack which was even more effective. For details, see: https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t
Solution
Perform the following to implement the recommended state:
Load the mod_requesttimeout module in the Apache configuration with the following configuration.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
Default Value:
header=20-40,MinRate=500