Network

What is Slowloris?

In a DDoS attack, system resources and network bandwidth are deliberately overloaded until the websites or service portals of the attack target only open up at a snail’s pace or are completely unavailable. To do this, for example, botnets with over 100,000 IoT devices are assembled and attack the target simultaneously. However, there is a type of malware that enables a single machine to bring down a web server with minimal use of network resources. The Slowloris attack tool, for example, is one such type of software.

01

A definition of Slowloris

Slowloris is a piece of software written in 2009 in the Perl programming language that uses a single computer and minimal network resources to take down a web server. It was written by Robert “RSnake” Hansen.

Named after the slow loris species of sloth-like primate, the software brings the attacked server to its knees by slowing it down: the software tries to establish as many connections to the target server as possible and keep them open for as long as possible. This effect is achieved by concurrently opening connections and sending partial requests. From time to time, partial requests are supplemented by subsequent HTTP headers but never completed. The intervals between the new header requests are timed to be just long enough for the server not to close the connection due to timeout.

As a result, the number of open connections increases rapidly. However, the number of connections that a web server can keep open simultaneously is limited. Once the maximum number of connections is exceeded, legitimate requests from web browsers will go unanswered, taking the server out of service.

Procedure of a Slowloris attack

02

How does a Slowloris attack work?

Slowloris takes advantage of a feature of the HTTP protocol: partial HTTP requests. Clients do not have to deliver the entire data of a GET or POST request to the server at once but can split it into several packets.

Depending on how a server is configured, even the first partial request causes the web server to reserve resources for responding while it waits for the remainder of the request. Ironically, this means that web servers, which only allow a limited number of parallel HTTP requests in order to avoid system overload, are particularly susceptible to Slowloris attacks.

Slowloris is relatively unobtrusive compared to most flooding tools, since only the web server itself is affected and all other services remain intact. Slowloris also has some stealth features built into it. For example, the log file cannot be written during the attack until the request is completed. By doing so, a server can be immobilized for minutes at a time without a single entry appearing in the log file to warn someone who might be checking it.

03

How is this different from traditional DDoS attacks?

Compared to conventional flood attacks, a Slowloris attack uses relatively few resources on the attacker’s side. The load on the target server does not increase either; instead, it keeps too many connections open for too long without doing anything.

However, this is not a TCP DoS because a full TCP connection is established, not a partial one, but partial HTTP requests are sent. Thus, it is the equivalent of a SYN flood attack, only over HTTP. One example of the difference is that with two web servers running on the same machine, one can be attacked with DoS while the other web server instance remains unaffected. Slowloris is also NOT a GET request flooder. Slowloris only requires a few hundred requests at long and regular intervals, as opposed to tens of thousands on a continuous basis.

Code on a screen

04

Who are the attackers?

The motives of cybercriminals who use Slowloris are no different from those who launch traditional DDoS attacks. Their motives are many and varied, ranging from extortion, harming the competitors, and envy to political protest. The goal, however, is always the same: causing the victim organization as much damage as possible. The script is so easy to use that no prior technical expertise is required.

05

Who is impacted?

Slowloris is primarily a threat to web servers that use threaded processes and attempt to limit them to prevent running out of memory. Apache servers that allow direct access from the internet are sometimes affected.

Vulnerable systems include:

  • Apache 1.x

  • Apache 2.x

  • dhttpd

  • GoAhead WebServer

A notable Slowloris attack occurred in Iran while the software was still in its infancy. Slowloris was used against the Iranian government’s web servers during the 2009 presidential election. The attackers chose Slowloris over a traditional denial-of-service attack because such a traditional attack would have consumed a lot of network bandwidth, also harming the protest movement in the country. The attacks using Slowloris affected gerdab.ir, leader.ir, and president.ir.

06

Successor and variants

Since the release of Slowloris, several other programs have appeared that mimic how Slowloris works and provide additional features or run in other environments:

PyLoris

a Python implementation that supports Tor and SOCKS proxies

QSlowloris

a binary program that runs on Windows and has a Qt interface

dotloris

a Slowloris variant written in .NET Core

Slowloris.hx

an implementation written in the Haxe programming language

Security lock

07

How can a Slowloris attack be mitigated?

he use of an HTTP Ready Accept filter was brought into play as a possible solution to a Slowloris attack shortly after the threat became known. It causes the HTTP server to only open a session after a complete request has been received. However, this only applies to GET and HEAD requests. However, Slowloris can also change its method to POST. In this instance, HTTPReady does not provide any protection.

There are no reliable configurations of the affected web servers that prevent a Slowloris attack. However, it is possible to mitigate or reduce the consequences of such an attack. The means available for this are:

  • Increasing the maximum number of clients that the server allows

  • Limiting the number of connections from a single IP address

  • Limiting the minimum transmission speed of a connection

  • Limiting the amount of time a client is allowed to stay connected

Web servers can also be protected by using load balancers and web application firewalls (WAF) that only relay complete HTTP requests to the servers. If an attack has already occurred, the problem can be mitigated by lowering the timeout parameters for HTTP requests.

Network

08

What you need to know about Slowloris

DDoS attacks can be carried out not only with large-scale methods such as huge botnets – all that is needed for a Slowloris attack is a single computer that continuously floods the server under attack with partial requests, thus blocking harmless quests. In a Slowloris attack, “only” the web server being attacked is itself impacted; all other services remain unaffected. The consequences of such an attack can be mitigated by specific configurations on web servers. Protection is possible: load balancers and web application firewalls that ensure that only complete HTTP requests reach the server can successfully slow down Slowloris.

09

Myra’s solutions

The Myra Multi Cloud Load Balancer allows for the access volume to be distributed among any number of servers – even across multiple data centers. Redundant, highly available, and scalable. Myra DDoS Web Protection combined with the Myra Hyperscale WAF protects applications against impermissible and dangerous requests. The immediately scalable solution provides nearly limitless capacity for warding off requests.