Slowloris (computer security)

Slowloris
Original author(s)	RSnake
Initial release	17 June 2009

Stable release	0.7
Written in	Perl
Size	36 kb
Website	ha.ckers.org/slowloris/

Slowloris is a type of denial of service attack invented by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.^[1]

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.^[1]

Affected web servers

This includes but is not necessarily limited to the following:^[1]

Apache 1.x
Apache 2.x
dhttpd
WebSense "block pages" (unconfirmed)
Trapeze Wireless Web Portal (unconfirmed)
Verizon's MI424-WR FIOS Cable modem (unconfirmed)
Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed)
BeeWare WAF (unconfirmed)
Deny All WAF (patched) ^[2]

Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well:

Hiawatha ^[3]
IIS ^[1]
lighttpd ^[1]
Squid ^[1]
NGINX ^[1]
Cherokee (verified by user community)
Cisco CSS (verified by user community) ^[1]
Varnish ^[4]

Mitigating the Slowloris attack

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general these involve increasing the maximum number of clients the webserver will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.

In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.^[1]^[5] Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.^[6]

Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.^[7] Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.^[1]

Notable usage

During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government.^[8] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.^[9] A number of government run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir .^[10]

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:^[11]

PyLoris – A protocol-agnostic Python implementation supporting Tor and SOCKS proxies.^[12]
Goloris _ slowloris for nginx, written in Go.^[13]
QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a Qt front end.^[14]
An unnamed PHP version which can be run from a HTTP server.^[15]
SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.^[16]^[17]
SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.^[18]

References

1 2 3 4 5 6 7 8 9 10 "Slowloris HTTP DoS". Ha.ckers.org. 2009-06-17. Retrieved 2013-07-03.
↑ http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf
↑ "Performance testing while under attack". hiawatha-webserver.org. 28 February 2014.
↑ https://www.varnish-cache.org/docs/trunk/index.html
↑ "mod_noloris: defending against DoS". niq's soapbox. Retrieved 7 January 2012.
↑ "mod_reqtimeout - Apache HTTP Server". Httpd.apache.org. Retrieved 2013-07-03.
↑ Breedijk, Frank (22 June 2009). "Slowloris and Nkiller2 vs. the Cisco CSS load balancer". Cupfighter.net. Retrieved 7 January 2012.
↑ Zdrnja, Bojan (23 June 2009). "ISC Diary | Slowloris and Iranian DDoS attacks". Isc.sans.org. Retrieved 7 January 2012.
↑ Archived 29 June 2009 at the Wayback Machine.
↑ Archived 11 August 2009 at the Wayback Machine.
↑ Robert “RSnake” Hansen. "Slowloris" (PDF). SecTheory. Retrieved 7 January 2012.
↑ "PyLoris". MotomaSTYLE. 19 June 2009. Retrieved 7 January 2012.
↑ valyala. "Slowloris for nginx DoS". Retrieved 4 February 2014.
↑ "How to help take down gerdab.ir in 5 easy steps". cyberwar4iran. 28 June 2009. Retrieved 7 January 2012.
↑ "Full Disclosure: apache and squid dos". Seclists.org. 19 June 2009. Retrieved 7 January 2012.
↑ "Testing Web Servers for Slow HTTP Attacks". qualys.com. 19 September 2011. Retrieved 13 January 2012.
↑ https://github.com/shekyan/slowhttptest/
↑ "Simple script to check if some server could be affected by Slowloris attack". github.com/felmoltor. 31 December 2012. Retrieved 31 December 2012.

External links

This article is issued from Wikipedia - version of the 12/2/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.