Slowloris (cyber attack)

Last updated

Slowloris
Initial release17 June 2009
Stable release
0.7
Written in Perl
Platform Cross-platform
Size 36 kb
Type Hacking tool
Website ha.ckers.org/slowloris/

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

Contents

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. [1]

The program was named after slow lorises, a group of primates which are known for their slow movement.

Affected web servers

This includes but is not necessarily limited to the following, per the attack's author: [1]

Vulnerable to Slowloris attack on the TLS handshake process:

Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as Varnish, nginx, and Squid have been recommended [7] to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha, [8] IIS, lighttpd, Cherokee, and Cisco CSS [ citation needed ].

Mitigating the Slowloris attack

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.

In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack. [1] [9] Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers. [10]

Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches. [11] Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack. [1]

Notable usage

During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government. [12] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth. [13] A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir. [14]

A variant of this attack was used by spam network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once. [15]

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments: [16]

See also

Related Research Articles

<span class="mw-page-title-main">Apache HTTP Server</span> Open-source web server software

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

<span class="mw-page-title-main">Squid (software)</span> Caching and forwarding HTTP web proxy

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching World Wide Web (WWW), Domain Name System (DNS), and other network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although used for mainly HTTP and File Transfer Protocol (FTP), Squid includes limited support for several other protocols including Internet Gopher, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure (HTTPS). Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

Corkscrew is a computer program, written by Patrick Padgett, that enables the user to tunnel SSH connections through most HTTP and HTTPS proxy servers. Combined with features of SSH such as port forwarding, this can allow many types of services to be run securely over the SSH via HTTP connections.

The Web Server Gateway Interface is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. The current version of WSGI, version 1.0.1, is specified in Python Enhancement Proposal (PEP) 3333.

Web server software allows computers to act as web servers. The first web servers supported only static files, such as HTML, but now they commonly allow embedding of server side applications.

<span class="mw-page-title-main">HTTP compression</span> Capability that can be built into web servers and web clients

HTTP compression is a capability that can be built into web servers and web clients to improve transfer speed and bandwidth utilization.

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. AJP is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server.

Mongrel is an open-source software HTTP library and web server written in Ruby by Zed Shaw. It is used to run Ruby web applications and presents a standard HTTP interface. This makes layering other servers in front of it possible using a web proxy, a load balancer, or a combination of both, instead of having to use more conventional methods employed to run scripts such as FastCGI or SCGI to communicate. This is made possible by integrating a custom high-performance HTTP request parser implemented using Ragel.

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. A large fraction of web servers use Nginx, often as a load balancer.

mod_qos is a quality of service (QoS) module for the Apache HTTP server implementing control mechanisms that can provide different priority to different requests.

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. It is free software released under the Apache license 2.0.

Phusion Passenger is a free web server and application server with support for Ruby, Python and Node.js. It is designed to integrate into the Apache HTTP Server or the nginx web server, but also has a mode for running standalone without an external web server. Phusion Passenger supports Unix-like operating systems, and is available as a gem package, as a tarball, or as native Linux packages.

SPDY is an obsolete open-specification communication protocol developed for transporting web content. SPDY became the basis for HTTP/2 specification. However, HTTP/2 diverged from SPDY and eventually HTTP/2 subsumed all usecases of SPDY. After HTTP/2 was ratified as a standard, major implementers, including Google, Mozilla, and Apple, deprecated SPDY in favor of HTTP/2. Since 2021, no modern browser supports SPDY.

The Apache Traffic Server (ATS) is a modular, high-performance reverse proxy and forward proxy server, generally comparable to Nginx and Squid. It was created by Inktomi, and distributed as a commercial product called the Inktomi Traffic Server, before Inktomi was acquired by Yahoo!.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing a simultaneous two-way communication channel over a single Transmission Control Protocol (TCP) connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

FastCGI is a binary protocol for interfacing interactive programs with a web server. It is a variation on the earlier Common Gateway Interface (CGI). FastCGI's main aim is to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The initial HTTP/2 specification was published as RFC 7540 on May 14, 2015.

<span class="mw-page-title-main">Slowdroid</span> Experimental denial of service attack

SlowDroid is the first denial of service attack which allows a single mobile device to take down a network server requiring minimal bandwidth. The attack has been created for research purposes by Enrico Cambiaso and Maurizio Aiello for the IEIIT Institute of the National Research Council of Italy and released as an Android application.

References

  1. 1 2 3 4 "Slowloris HTTP DoS". Archived from the original on 26 April 2015. Retrieved 26 June 2009.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  2. "Archived copy" (PDF). Archived from the original (PDF) on 1 February 2014. Retrieved 15 May 2013.{{cite web}}: CS1 maint: archived copy as title (link)
  3. "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  4. "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  5. "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  6. "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  7. "How to best defend against a "slowloris" DOS attack against an Apache web server?". serverfault.com. Retrieved 28 December 2016.
  8. "Performance testing while under attack". hiawatha-webserver.org. 28 February 2014. Archived from the original on 15 March 2014. Retrieved 15 March 2014.
  9. "mod_noloris: defending against DoS". niq's soapbox. July 2009. Archived from the original on 8 October 2011. Retrieved 7 January 2012.
  10. "mod_reqtimeout - Apache HTTP Server". Httpd.apache.org. Archived from the original on 3 July 2013. Retrieved 3 July 2013.
  11. Breedijk, Frank (22 June 2009). "Slowloris and Nkiller2 vs. the Cisco CSS load balancer". Cupfighter.net. Archived from the original on 15 February 2012. Retrieved 7 January 2012.
  12. Zdrnja, Bojan (23 June 2009). "ISC Diary | Slowloris and Iranian DDoS attacks". Isc.sans.org. Archived from the original on 12 November 2021. Retrieved 7 January 2012.
  13. Archived 29 June 2009 at the Wayback Machine
  14. Archived 11 August 2009 at the Wayback Machine
  15. Vickery, Chris (6 March 2017). "Spammergate: The Fall of an Empire". MacKeeper Security Watch. Archived from the original on 6 March 2017.
  16. Robert "RSnake" Hansen. "Slowloris" (PDF). SecTheory. Archived (PDF) from the original on 19 January 2012. Retrieved 7 January 2012.
  17. "PyLoris". MotomaSTYLE. 19 June 2009. Archived from the original on 15 July 2009. Retrieved 7 January 2012.
  18. "Slowloris rewrite in Python". GitHub . Archived from the original on 16 July 2019. Retrieved 10 May 2017.
  19. valyala. "Slowloris for nginx DoS". GitHub . Archived from the original on 28 January 2016. Retrieved 4 February 2014.
  20. Tsankov, Ivaylo (22 April 2022), slowloris - Golang distributed Slowloris attack, archived from the original on 24 April 2022, retrieved 24 April 2022
  21. "How to help take down gerdab.ir in 5 easy steps". cyberwar4iran. 28 June 2009. Archived from the original on 8 July 2011. Retrieved 7 January 2012.
  22. "Full Disclosure: apache and squid dos". Seclists.org. 19 June 2009. Archived from the original on 27 June 2009. Retrieved 7 January 2012.
  23. "Testing Web Servers for Slow HTTP Attacks". qualys.com. 19 September 2011. Archived from the original on 2 January 2014. Retrieved 13 January 2012.
  24. "shekyan/slowhttptest: Application Layer DoS attack simulator". GitHub. Archived from the original on 19 July 2016. Retrieved 19 April 2017.
  25. "Simple script to check if some server could be affected by Slowloris attack". github.com/felmoltor. 31 December 2012. Archived from the original on 28 January 2016. Retrieved 31 December 2012.
  26. abilash. "Slowloris for OSX". GitHub . Archived from the original on 17 August 2020. Retrieved 8 April 2017.
  27. Davis, Ethan (17 February 2018), sloww: Lightweight Slowloris attack CLI in Node, archived from the original on 9 November 2020, retrieved 18 February 2018
  28. Bassel Shmali (28 November 2021). "Slowloris written in .Net core". GitHub . Archived from the original on 17 June 2018. Retrieved 31 March 2018.
  29. Cambiaso, Enrico; Papaleo, Gianluca; Aiello, Maurizio (2014). "SlowDroid: Turning a Smartphone into a Mobile Attack Vector". 2014 International Conference on Future Internet of Things and Cloud. pp. 405–410. doi:10.1109/FiCloud.2014.72. ISBN   978-1-4799-4357-9. S2CID   14792419. Archived from the original on 2 March 2022. Retrieved 2 March 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.