Description

This rule is triggered when a a single IP has opened too many connections to the server (11 or more), and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients. This occurs when a slowloris attack is occuring.

This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client.

Troubleshooting

False Positives

There are no known false positives with this rule. The rule looks for when 11 or more threads from a single client IP are in the READ state.

Tuning Guidance

None.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.