i thought my server was safe with http-guardian but apparently not. Some smart arse keeps hitting my server with 'Keep-Dead' and causing it to crash.
I've looked through the logs but can't see anyway to tell the requests apart from a regular visitor who's browser is quickly loading all the components on a busy page.
Any advice would be appreciated.
Disable HTTP keep-alive, or install a server that isn't effected by this as a proxy in front of Apache. Nginx would be a good choice here.
This attack appears to be similar to the Slowloris attack, in that it exploits a specific feature of Apache. It's pretty trivial to defend against.
Note: If you install nginx, disable keep-alive on apache, and keep it enabled on nginx.
Keep-Dead works by sending HEAD requests while keeping the TCP connection alive (Keep-Alive, thus the name of the script). That is probably quite distinct from legit requests to your webserver that would probably mostly be POST/GET. Ask your IDS/IPS to detect numerous HEAD requests within a short timespan and do what's appropriate.
