The Slowloris attack is a particularly unique and dangerous form of denial-of-service (DoS) attack. Unlike traditional DoS attacks that overwhelm servers with a high volume of traffic, this attack is designed to use minimal resources while effectively taking down a server. In this article, we’ll explain why the attack poses a significant threat and how organizations can protect themselves.
What Is a Slowloris Attack?
The Slowloris attack operates by sending partial HTTP requests to a target server. It was first introduced by hacker RSnake in 2009 as a tool to disrupt web servers, particularly those running Apache. The attack works by opening multiple connections to a server and then keeping these connections open as long as possible. The attacker does this by sending partial headers intermittently so the server believes each request is legitimate and keeps the connection open.
How Does a Slowloris Attack Work?
When a user connects to a website, the server expects a complete HTTP request, which typically includes headers and a body. Once the server receives this complete request, it processes it and serves the requested resources back to the user.
Here’s how it manipulates this process to carry out its attack:
- Initiates Multiple Connections: The attacker opens multiple connections to the target server using HTTP requests.
- Sends Partial Requests: Instead of completing each HTTP request, Slowloris sends only partial headers. This gives the appearance of an incomplete request that is still being processed.
- Maintains Open Connections: By periodically sending small portions of data to each connection, Slowloris keeps the connections open. This tricks the server into waiting indefinitely for the rest of each request.
- Consumes Server Resources: Over time, the server allocates its resources to handle the growing number of open connections, eventually exhausting its available connection pool.
Since the server has limited capacity for concurrent connections, legitimate users will find themselves unable to connect, leading to a denial of service without a significant spike in traffic that would be typical of other DoS attacks.
Why Is Slowloris So Dangerous?
The attack stands out for several reasons:
- Low Resource Requirement: Unlike volumetric attacks that require large amounts of bandwidth and computational power, Slowloris uses minimal resources on the attacker’s end. This makes it difficult to detect and allows attackers with limited resources to cause significant disruption.
- Bypasses Traditional Security: They are often hard to detect because they don’t trigger traditional rate-limiting defenses. Since the attack doesn’t involve large data volumes, it can bypass typical network security measures like firewalls and intrusion detection systems.
- Targeted Attack: Slowloris can be configured to focus on specific types of web servers. Certain types of servers, like Apache and Nginx, are more susceptible, making the attack highly effective against vulnerable servers.
How to Protect Against a Slowloris Attack
While it is challenging to detect, there are several methods to mitigate the risk of this attack:
- Rate Limiting: Configuring rate limits for incomplete HTTP requests can help prevent Slowloris from monopolizing server connections. While not foolproof, this can slow down the attack.
- Connection Timeout Settings: Reducing the maximum time allowed for open connections can limit the attack’s effectiveness. By enforcing shorter timeout periods, servers can free up resources from incomplete requests more quickly.
- Using a Reverse Proxy: A reverse proxy can filter out malicious requests before they reach the target server, offering an additional layer of security.
- Upgrade Server Software: Regularly updating web server software ensures it has the latest security patches. Some servers have modules or plugins specifically designed to counter Slowloris.
Conclusion
The Slowloris attack remains one of the more insidious forms of DoS attacks, utilizing minimal resources to achieve maximum disruption. By keeping connections open and exhausting server resources, it can effectively shut down a server without detection by traditional security systems. Understanding how it works and implementing the right security measures can help organizations defend against this sneaky threat.