Thursday, 2 April 2015

Slow HTTP DoS

Knocking down a website is as easy as double clicking an application on the desktop.

Many sites are running on the web servers which are vulnerable to Slow HTTP Denial of Service attack. This is also called Slowloris.

Slowloris vulnerability exists due to the very basic characteristics of HTTP protocol where web servers wait for the request header before taking any action on the request. This behavior of HTTP protocol can be exploited where large number of connections are made to the server, and request header is sent very slowly... say just 1 byte in a minute..   This will make the server to keep waiting and eventually exhaust its capacity to accept any new connection, and server will become unresponsive.

So what's the difference in this Slow DoS attack than the classic DoS.

 The key characteristic of this attack is that it can be executed successfully with high impact on a very low bandwidth of attacker.

There are various scripts and tools available to exploit this vulnerability. One of such script is the Slowloris script.

There are three factors, which are affecting the probability of successful slow HTTP DoS attack:
  1. Connection timeout for request
  2. Number of concurrent connection
  3. Request data transfer rate


Almost 60% websites are running on Apache servers, which are vulnerable to this attack. Apache provides a module  mod_reqtimeout that controls this type of attack through request timeout and a minimum transfer rate. However, this is only supported for version 2.2.15 and later, and it only takes care of two factors to reduce the chances of successful attack. Therefore, attacker can tune the script to transfer the data above the threshold and to maintain the connection timeout.

The third factor, number of concurrent connection, can easily be controlled through firewall, reverse proxy or load balancers (LB). However, limiting the number of concurrent connection from same source may impact the legitimate users if users are coming through Proxy.
Many LBs such as Radware AppWall, BIG-IP, Barracuda etc. have in-built feature to reduce the risk of  Slowloris attack. 


Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)