Description

This rule is triggered when a a single IP has opened too many connections to the server (11 or more), and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients. This occurs when a slowloris attack is occuring.

This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client. You can configure this limit by following the Tuning Guidance below.

Troubleshooting

False Positives

= The rule alerts when the configured WAF_READSTATELIMIT value is exceeded. The rule does not cause this event to occur. Disabling this rule will not cause this event to not occur, it will just prevent ASL from alerting you that this is occurring. See below for tuning guidance.

Tuning Guidance

This limit is configured by this setting:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_READSTATELIMIT

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.