A Slowloris attack is a type of denial-of-service (DoS) attack that targets web servers by exhausting their connection capacity. This attack, often referred to as a slow HTTP DoS attack, takes advantage of how web servers manage connections, making them unable to handle legitimate requests.
Origins of the Slowloris Attack
The name "Slowloris" comes from a tool created by Robert RSnake Hansen in 2009, named after the slow-moving primate, the slow loris. This tool demonstrated how an attacker could use slow HTTP requests to overwhelm a server. The technique has been used in significant real-world incidents, such as attacks on Iranian government websites following the 2009 presidential election.
How Does a Slowloris Attack Work?
Web servers can be either thread-based (e.g., Apache, Microsoft IIS) or event-based (e.g., Nginx, lighttpd). Thread-based servers handle fewer connections than event-based servers. For instance, Apache can handle 150 connections by default, whereas Nginx can manage 512.
A server keeps a connection open until it receives all HTTP headers and the complete body of a request, or until it times out. Apache, for example, has a default timeout of 300 seconds. An attacker exploiting this can send numerous incomplete HTTP requests, keeping the connections open and preventing the server from accepting new ones.
Variations: Slow HTTP POST Attack
A variation of the Slowloris attack is the slow HTTP POST attack. Instead of GET requests, it uses POST requests, sending data very slowly to keep the connection alive and evade timeout protections. This method is harder to detect and mitigate.
Detecting Slowloris Attacks
Detecting a Slowloris attack can be challenging as it uses legitimate-looking requests. Monitoring for patterns such as numerous long-duration connections, partial HTTP requests, and high server resource usage is essential. Intrusion detection systems (IDS) often miss these attacks, so continuous monitoring is crucial.
Mitigating Slowloris Attacks on Apache Servers
Apache servers are common targets for slow HTTP DoS attacks. Here are three effective mitigation techniques:
Using the mod_reqtimeout Module:
This module sets time limits for receiving HTTP request headers and bodies. If the client doesn't send data within the set time, the server responds with a 408 REQUEST TIMEOUT error.
Apache
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>
Using the mod_qos Module:
This module allows assigning different priorities to HTTP requests. It limits the number of connections per IP and enforces minimum data transfer rates.
Apache
<IfModule mod_qos.c>
QS_ClientEntries 100000
QS_SrvMaxConnPerIP 50
MaxClients 256
QS_SrvMaxConnClose 180
QS_SrvMinDataRate 150 1200
</IfModule>
Using the mod_security Module:
This web application firewall (WAF) can block IPs generating multiple 408 responses, indicating potential slow HTTP DoS attacks.
Apache
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass,setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop,msg:'Client Connection Dropped due to high number of slow DoS alerts',id:'1234123457'"
Combining these methods with additional protections like load balancers, reverse proxies, and rate limiting can significantly enhance server resilience against Slowloris attacks.
By understanding and implementing these strategies, you can better protect your web servers from the disruptive impact of Slowloris and similar slow HTTP attacks.
Top comments (0)