How to avoid Slowloris DoS Attack?

[josecelano]

Relates to: tokio-rs/axum#2716

Does ActixWeb close a connection if the client sends no requests after opening the connection?

I want to know if there is a timeout for this case:

1. The client opens a connection.
2. The client does not send any requests at all.
3. After 5 minutes, the server closes the connection.

I've seen 4 options in the configuration:

• client_request_timeout
• client_disconnect_timeout
• tls_handshake_timeout
• https://actix.rs/docs/server/#keep-alive

https://docs.rs/actix-web/latest/actix_web/struct.HttpServer.html#method.client_request_timeout

I guess what I'm looking for is something like client_request_timeout. However, it seems that the timeout requires that the client starts sending the headers for the first request. What happens if the client does not send any headers at all?

I've created a sample repo to reproduce the setup described above:

https://github.com/josecelano/axum-server-timeout

The client:

1. Opens a connection and waits for 15 seconds.
2. Sends a normal request.
3. Sends a slow request. "Slow" means headers are sent one byte at a time, waiting 1 second between bytes. I want to force a timeout for sending the headers on the server.

This is the output:

Connected to the server: http://127.0.0.1:3000!
Sleeping 15 seconds ...
New request ...
Response OK: 107 bytes
HTTP/1.1 408 Request Timeout
content-length: 0
connection: close
date: Wed, 17 Apr 2024 17:18:43 GMT


New request ...
thread 'main' panicked at examples/client.rs:53:10:
Failed to write to stream: Os { code: 32, kind: BrokenPipe, message: "Broken pipe" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Despite waiting 15 seconds before sending the first request, the server doesn't close the connection. The client receives a HTTP/1.1 408 Request Timeout for the first request. However, I would expect the connection to be closed.

I guess, two things are happening (I would like to confirm that):

1. ActixWeb does not close the connection if the client does not send any request. It closes the connection after receiving the first request if receiving the first request takes longer than the timeout (default to 5 minutes),
2. If point 1 is true ActixWeb does not mitigate the Slowloris DoS Attack.

On the other hand, when I use telnet instead of my example, it seems to work as I expect. If I set a client_request_timeout to 5 seconds:

use std::time::Duration;

use actix_web::{web, App, HttpResponse, HttpServer, Responder};

async fn hello() -> impl Responder {
    println!("New request ...");
    HttpResponse::Ok().body("Hello world!")
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    println!("Starting server on: http://127.0.0.1:3000 ..."); // DevSkim: ignore DS137138

    HttpServer::new(|| App::new().route("/", web::get().to(hello)))
        .bind(("127.0.0.1", 3000))?
        .client_request_timeout(Duration::from_secs(5))
        .run()
        .await
}

When I use telnet:

$ telnet localhost 3000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HTTP/1.1 408 Request Timeout
content-length: 0
connection: close
date: Fri, 19 Apr 2024 06:14:18 GMT

Connection closed by foreign host.

After 5 seconds, the connection is closed, and I receive the HTTP/1.1 408 Request Timeout.

I can even make a request by sending these headers:

GET / HTTP/1.1
Host: localhost

And after 5 seconds of not sending any request, the connection is closed, and I receive the HTTP/1.1 408 Request Timeout.

How can I receive the HTTP/1.1 408 Request Timeout if I'm not sending any requests?