v0.8.2 (2024-10-09)

Fixed

• ExemptIPs allowlist insertion bug that erroneously lost track of some IP range branches when splitting a node during insertion (#4)
• Inaccurate descriptions of the ExemptIPs, WhitelistIPs, and LocalIPs directives in the module built-in documentation

Changed

• Removed the unused auto_convert_ipv4_to_ipv6() function.
  parse_ip_address() already handles both IPv6 and IPv4-mapped IPv6 addresses.

v0.8.1 (2024-09-06)

Fixed

• Null pointer dereference crash when a connection is suspended and the scoreboard handle is removed (#3)

v0.8.0 (2024-08-03)

Changed

• Renamed the WhitelistIPs directive to ExemptIPs to clarify that it exempts IP addresses from mitigation

  WhitelistIPs and the even older LocalIPs are still supported as aliases for backwards compatibility.

• Implemented a new Slowloris mitigation IP address allowlist that dramatically reduces memory consumption and enhances performance

  The roaring bitmaps previously used to store IP addresses exempt from Slowloris mitigation have been replaced with a more efficient PATRICIA trie data structure.

  Benchmark results for a vanilla Debian 12 Apache HTTP Server version 2.4.61 with mod_antiloris configured using ExemptIPs 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32:

  mod_antiloris version	Memory usage (idle)	Memory usage (under DoS attack from 1 IP)
  Not installed	56.2 MiB	151.9 MiB
  = 0.7.2	5342.2 MiB	5352.0 MiB
  = 0.8.0	56.8 MiB	64.8 MiB

  mod_antiloris and its configuration now occupy a mere 0.6 MiB of memory, down from 5,286 MiB in the previous version with identical settings. This represents a massive 99.988% reduction in memory footprint.

  The module's initialization speed has also been substantially improved, as evidenced by repeated executions of time systemctl restart apache2.service:

  mod_antiloris version	N	min (s)	q1 (s)	median (s)	q3 (s)	max (s)	mean (s)	stddev (s)
  Not installed	100	0.086000	0.100000	0.105000	0.110000	0.119000	0.105060	0.006718
  = 0.7.2	100	0.818000	0.837750	0.851000	0.868500	1.037000	0.858580	0.033554
  = 0.8.0	100	0.088000	0.103750	0.108000	0.111250	0.126000	0.107220	0.006532

  Configured with the same directives, mod_antiloris = 0.8.0 slashes the startup time overhead by over 99.7% compared to its predecessor.

  Crucially, the new algorithm maintains the performance of HTTP requests, as demonstrated by timing the retrieval of a static HTML file over 100,000 iterations with 10 concurrent connections:

  mod_antiloris version	N	min (s)	q1 (s)	median (s)	q3 (s)	max (s)	mean (s)	stddev (s)
  Not installed	100000	0.000573	0.001035	0.001123	0.001231	0.008474	0.001170	0.000300
  = 0.7.2	100000	0.000539	0.001068	0.001166	0.001287	0.010362	0.001212	0.000314
  = 0.8.0	100000	0.000510	0.001054	0.001146	0.001260	0.011931	0.001197	0.000312

• Improved the parsing of IP addresses by eliminating string mutations and reducing the number of memory allocations

v0.7.2 (2024-07-24)

Fixed

• WhitelistIPs directive memory leak when reloading the Apache HTTP Server configuration (systemctl reload apache2.service, httpd -k graceful, or similar) (#2)

v0.7.1 (2023-06-25)

Changed

• Removed unused variables from ignore list structure for very minor memory and time savings

Fixed

• A global variable (the Apache Portable Runtime pool) was breaking compilation, so it is now a local variable that is passed down as needed. (#1)

v0.7.0 (2019-08-12)

Added

• IPTotalLimit directive: Maximum simultaneous connections in any state per IP address
• WhitelistIPs directive: Space-delimited list of IPv4 and IPv6 addresses, ranges, or CIDRs which should not be subjected to any limits by mod_antiloris

Changed

• LocalIPs is now an alias of WhitelistIPs, but WhitelistIPs overrides LocalIPs. The implementations of both directives are now the same.

Fixed

• Various connections slot states considered "other" were not being counted. They were:
  • SERVER_BUSY_LOG
  • SERVER_BUSY_DNS
  • SERVER_CLOSING
  • SERVER_GRACEFUL
• Off-by-one bug allowed one more connection than defined in the limits directives
• Invalid return code could be returned by the ap_hook_process_connection hook

v0.6.0 (2014-09-09)

Added

• Added configuration for adjustable limits based on the different vectors (@NewEraCracker)
• Added option to ignore local IPs (@NewEraCracker)

v0.5.2 (2012-04-28)

Changed

• Removed a few non-attackable vectors (@NewEraCracker)

Fixed

• Improved Apache 2.4 compatibility (@NewEraCracker)

v0.5.1 (2012-02-19)

Fixed

• Initial Apache 2.4.x compatibility (@diovoemor)

v0.5.0 (2011-09-09)

Added

• Added other similar attack vectors than just Slowloris. (@NewEraCracker)