这是slowloris攻击还是不？

除了最后一个八位字节之外，IP隐藏在apache日志中用于隐私。 /结算是我们的应用程序开始页面。但它发送POST请求并没有任何意义，并得到500响应。

或者，也许这是合法的旧IE 7浏览器谁不能处理我们的网站，ant设置成循环？

有大约20000个这样的请求

xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:55 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:55 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" xx.xx.xx.223 - - [30/May/2014:13:40:59 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"

这似乎不是一个slowloris攻击，至less不是基于你已经发布的日志文件（每秒3个请求不是很多，他们是错误的，不被公开）。
它可能是其他的东西 – 检查你的错误日志，了解更多关于为什么请求失败的信息。

正如其他人所指出的，我们无法在没有更多信息的情况下明确排除slowloris（具体来说， netstat输出显示了您的系统与主题IP有多less同时连接）。
大量的同时连接（和/或错误日志显示连接超时而不是由于某些其他原因而错误出现）将表明这实际上是一个slowloris攻击。

这是一个慢Loris：
可爱的懒惰
这与我的答案没有关系 – 我只是想借一个可爱的懒散图片。

我发现使用包含%D的LogFormat很有用。这将告诉你处理请求需要多less微秒。它不会告诉你时间是在服务器端处理还是在等待客户端。但至less它会告诉你哪些请求花了很长时间，而这些通常是值得调查的。