Slowloris (computer security) explained

Slowloris
Logo Caption:Slowloris running on Command Prompt
Released:17 June 2009
Latest Release Version:0.7
Programming Language:Perl
Platform:Cross-platform
Size:36 kb
Genre:Hacking tool
Website:ha.ckers.org/slowloris/

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.[1]

The program was named after slow lorises, a group of primates which are known for their slow movement.

Affected web servers

This includes but is not necessarily limited to the following, per the attack's author:[1]

Vulnerable to Slowloris attack on the TLS handshake process:

Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as Varnish, nginx, and Squid have been recommended[7] to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,[8] IIS, lighttpd, Cherokee, and Cisco CSS.

Mitigating the Slowloris attack

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.

In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.[1] [9] Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.[10]

Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.[11] Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.[1]

Notable usage

During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government.[12] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.[13] A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.[14]

A variant of this attack was used by spam network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once.[15]

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:[16]

See also

External links

Notes and References

  1. Web site: Slowloris HTTP DoS . 2009-06-26 . bot: unknown . https://web.archive.org/web/20150426090206/http://ha.ckers.org/slowloris . 26 April 2015 .
  2. Web site: Archived copy . 2013-05-15 . dead . https://web.archive.org/web/20140201201359/http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf . 1 February 2014 .
  3. Web site: Slowloris . www.powerwaf.com . 17 July 2023 . 17 July 2023 . https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks . live .
  4. Web site: Slowloris . www.powerwaf.com . 17 July 2023 . 17 July 2023 . https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks . live .
  5. Web site: Slowloris . www.powerwaf.com . 17 July 2023 . 17 July 2023 . https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks . live .
  6. Web site: Slowloris . www.powerwaf.com . 17 July 2023 . 17 July 2023 . https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks . live .
  7. Web site: How to best defend against a "slowloris" DOS attack against an Apache web server?. serverfault.com. 2016-12-28.
  8. Web site: Performance testing while under attack. hiawatha-webserver.org. 28 February 2014. 15 March 2014. 15 March 2014. https://web.archive.org/web/20140315023923/https://www.hiawatha-webserver.org/weblog/64. live.
  9. Web site: mod_noloris: defending against DoS . July 2009 . niq's soapbox . 7 January 2012 . 8 October 2011 . https://web.archive.org/web/20111008151654/http://bahumbug.wordpress.com/2009/07/01/mod_noloris-defending-against-dos/ . live .
  10. Web site: mod_reqtimeout - Apache HTTP Server . Httpd.apache.org . 2013-07-03 . 3 July 2013 . https://web.archive.org/web/20130703041319/http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html . live .
  11. Web site: Breedijk . Frank . Slowloris and Nkiller2 vs. the Cisco CSS load balancer . Cupfighter.net . 22 June 2009 . https://web.archive.org/web/20120215200011/http://www.cupfighter.net/index.php/2009/06/slowloris-css/ . 7 January 2012. 15 February 2012 .
  12. Web site: Zdrnja . Bojan . ISC Diary | Slowloris and Iranian DDoS attacks . Isc.sans.org . 23 June 2009 . 7 January 2012 . 12 November 2021 . https://web.archive.org/web/20211112125751/https://isc.sans.edu/forums/diary/Slowloris+and+Iranian+DDoS+attacks/6622 . live .
  13. http://iran.whyweprotest.net/general-discussion/2156-list-anti-protester-sites-2.html
  14. http://iran.whyweprotest.net/help-iran-online/6194-condensed-list-sites-w-pictures-part-1-a.html
  15. Web site: Vickery. Chris. Spammergate: The Fall of an Empire. MacKeeper Security Watch. 2017-03-06. https://web.archive.org/web/20170306152831/https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire. dead. 2017-03-06.
  16. Web site: Slowloris. SecTheory. 7 January 2012. Robert "RSnake" Hansen. 19 January 2012. https://web.archive.org/web/20120119135533/http://samsclass.info/seminars/slowloris.pdf. live.
  17. Web site: PyLoris . https://web.archive.org/web/20090715100428/http://motomastyle.com/pyloris/ . dead . 15 July 2009 . MotomaSTYLE . 19 June 2009 . 7 January 2012 .
  18. Web site: Slowloris rewrite in Python. GitHub. 10 May 2017. 16 July 2019. https://web.archive.org/web/20190716180132/https://github.com/gkbrk/slowloris. live.
  19. Web site: Slowloris for nginx DoS. valyala. GitHub. 4 February 2014. 28 January 2016. https://web.archive.org/web/20160128115830/https://github.com/valyala/goloris. live.
  20. Web site: How to help take down gerdab.ir in 5 easy steps. cyberwar4iran. 7 January 2012. 28 June 2009. 8 July 2011. https://web.archive.org/web/20110708032219/http://cyberwar4iran.blogspot.com/. live.
  21. Web site: Full Disclosure: apache and squid dos . Seclists.org . 19 June 2009 . 7 January 2012 . 27 June 2009 . https://web.archive.org/web/20090627092145/http://seclists.org/fulldisclosure/2009/Jun/0207.html . live .
  22. Web site: Testing Web Servers for Slow HTTP Attacks . qualys.com . 19 September 2011 . 13 January 2012 . 2 January 2014 . https://web.archive.org/web/20140102191906/https://community.qualys.com/blogs/securitylabs/2011/09/19/testing-web-servers-for-slow-http-attacks . live .
  23. Web site: shekyan/slowhttptest: Application Layer DoS attack simulator . GitHub . 2017-04-19 . 19 July 2016 . https://web.archive.org/web/20160719171244/https://github.com/shekyan/slowhttptest . live .
  24. Web site: Simple script to check if some server could be affected by Slowloris attack . github.com/felmoltor . 31 December 2012 . 31 December 2012 . 28 January 2016 . https://web.archive.org/web/20160128115830/https://github.com/felmoltor/SlowlorisChecker . live .
  25. Web site: Slowloris for OSX. abilash. GitHub. 8 April 2017. 17 August 2020. https://web.archive.org/web/20200817134457/https://github.com/abila5h/Cyphon-DoS. live.
  26. Web site: Slowloris written in .Net core. Bassel Shmali. GitHub. 28 November 2021. 31 March 2018. 17 June 2018. https://web.archive.org/web/20180617163448/https://github.com/bass3l/dotloris. live.
  27. Book: Cambiaso. Enrico. Papaleo. Gianluca. Aiello. Maurizio. 2014 International Conference on Future Internet of Things and Cloud. SlowDroid: Turning a Smartphone into a Mobile Attack Vector. 2014. 405–410. 10.1109/FiCloud.2014.72. 978-1-4799-4357-9. 14792419. https://zenodo.org/record/896552. 2 March 2022. 2 March 2022. https://web.archive.org/web/20220302150652/https://zenodo.org/record/896552. live.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Slowloris (computer security)".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.