WP What is Slowloris? | Examples & Mitigation Techniques | Imperva

Slowloris

84.5k views
DDoS

What is Slowloris?

Slowloris is an attack tool designed to enable a single machine to take down a server by flooding it with incomplete HTTP requests, without using a lot of bandwidth. The approach, similar to a distributed denial of service (DDoS) attack, makes it harder for legitimate users to access the server or application.  

Simple yet sophisticated, a Slowloris attack requires minimal bandwidth for execution. Slowloris has demonstrated remarkable effectiveness against popular web server software, including Apache 1.x and 2.x. 

How Does Slowloris Work?

Slowloris executes its attack by exploiting the behavior of the HTTP protocol. When making an HTTP request to a server, the server processes the request and reserves a slot for the session until it’s complete. Slowloris takes advantage of this by initiating an HTTP request but never completing it.

The attack starts by Slowloris establishing multiple connections to the target’s web server. It sends HTTP headers at regular intervals but does not terminate them, leaving the connection open indefinitely. This is referred to as a “partial request”. HTTP headers are sent at a rate slow enough to keep the connection alive, but not so fast as to complete the request and free the slot.

As the attacker continues to hold these connections, the web server’s maximum concurrent connection pool eventually is filled as the server operates as if it is processing heavy volumes of traffic. Consequently, this approach effectively blocks new connections from legitimate users, achieving a denial of service attack. However,unlike typical DoS attacks that require significant bandwidth, Slowloris needs limited resources to execute an attack. The slow and low approach makes it difficult to detect, and standard timeouts do not apply as each partial request keeps the sessions alive.

Figure 1: Illustration of a Slowloris attack

Figure 1: Illustration of a Slowloris attack

Example of a Slowloris Attack

In six steps, here’s a hypothetical attack scenario where ‘ExampleWebServer’ is the target of a Slowloris attack. 

  1. The attacker begins by establishing multiple connections to `ExampleWebServer`. To do this, the attacker uses a command such as `slowloris.pl -dns examplewebserver.com` with `slowloris.pl` being the Slowloris script, `-dns` being the option to target a specific DNS, and `examplewebserver.com` is the web server’s address.
  2. The attacker starts sending partial HTTP requests to `ExampleWebServer`, but keeps the speed slow enough to maintain an open connection.
  3. `ExampleWebServer`, following standard HTTP protocol behavior, reserves slots for these requests, awaiting their completion.
  4. The attacker’s Slowloris script continues to send partial requests at regular intervals, keeping the connections open and preventing `ExampleWebServer` from closing the incomplete sessions.
  5. Eventually, `ExampleWebServer` hits its maximum concurrent connection pool limit. At this point, legitimate users cannot establish a new connection.
  6. The web server, believing it’s under heavy traffic, continues to wait for the requests to be completed, effectively falling victim to a DoS attack.

This is a simple example that demonstrates a basic Slowloris attack. t real-world attacks can be more complex, incorporating tactics to evade detection and/or increase effectiveness.

Why Are Slowloris Attacks Dangerous?

Slowloris attacks, like DDoS, is a significant risk to a digital business’ operations. for several reasons:

  1. Stealth: The slow and methodical nature of Slowloris attacks makes them challenging to detect unlike typical DDoS attacks, which flood servers with an overwhelming volume of requests.
  2. Efficiency: Slowloris attacks are incredibly resource-efficient. A single machine with a regular internet connection can execute a successful Slowloris attack, requiring minimal bandwidth and computing power. This efficiency makes Slowloris attacks accessible to any motivated bad actor.
  3. Limited traces: Slowloris attacks target web servers without affecting other services, leaving few traces behind. This makes mitigation and incident response more challenging.
  4. Denial of Service: The goal of a Slowloris attack is a denial of service,. Slowloris attacks can significantly disrupt services and cause business loss and reputational damage.

How Are Slowloris Attacks Different from Other DoS Attacks?

Unlike traditional DoS attacks, Slowloris employs a unique, and more subtle, methodology. 

DoS attacks aim to overwhelm a server with a massive flood of traffic, thus requiring considerable bandwidth and computational power. They are often conspicuous and can be detected and mitigated relatively easily by DDoS protection solutions.

On the other hand, Slowloris attacks adopt a “low-and-slow” approach. Its designed to consume minimal bandwidth and can often appear as regular, legitimate traffic. 

Traditional DoS attacks usually impact the entire network, affecting various services and ports, while Slowloris attacks are targeted exclusively at the web server. The targeted impact enhances the stealthiness of Slowloris attacks and adds to the complexity of its mitigation.

Finally, Slowloris attacks exploit a specific vulnerability in the behavior of HTTP protocol. A DoS is more generic in the way it performs a volumetric attack. Organizations must understand the nuances and safeguard their web applications and servers from targeted and sophisticated attacks, like a Slowloris, in addition to the conventional DoS threats.

How is a Slowloris Attack Mitigated?

To protect a web server from a Slowloris attack, implement a multi-faceted defense strategy. Here are some practical steps that can be taken:

  1. Update web server software: Updating web server software regularly can help protect against Slowloris attacks. Some servers have built-in protection against these forms of attacks. For instance, Apache 2.2.15 and above include a module called ‘mod_reqtimeout’ that helps mitigate Slowloris.
  2. Limit connection time: Configuring your server to limit the maximum time a client can keep a connection open without fully transmitting a request can prevent Slowloris from holding connections indefinitely. This is particularly effective if the server allows for flexibility in the connection time based on the client’s behavior.
  3. Monitoring and managing the connection pool: Maintaining visibility of the connection pool can help identify abnormal behavior. If a large number of connections are open for an unusually long time, it could be an indication of a Slowloris attack. By manually freeing up suspiciously slow connections, a Slowloris attack could be stopped.
  4. Use load balancers or reverse proxies: Load balancers can distribute network traffic across multiple servers, reducing the impact of a Slowloris attack. Similarly, reverse proxies can hide the IP address of your server, making it harder for Slowloris to target.
  5. IP address-based rate limiting: Implementing rate limiting based on IP addresses helps prevent a single IP from consuming all available connections.
  6. Intrusion Detection Systems (IDS): IDS detects unusual traffic patterns and can identify potential Slowloris attacks. Some systems can automatically take corrective actions when they detect an attack.
  7. Apply patches: Several third-party patches can protect specific web servers software from the threat of a Slowloris attack. However, use these with caution and only from trusted sources.

Remember, no single method is completely effective in protecting against Slowloris attacks. A combined approach using a variety of techniques will provide the most effective defense.

See how Imperva DDoS Protection can help you with DDoS attacks.

How Imperva Mitigates DoS and Slowloris Attacks

Imperva DDoS Protection proxies all incoming traffic to block layer 3/4 and layer 7 attacks, such as slowloris, from reaching origin servers.

Imperva secures websites, networks, DNS servers and individual IPs from the largest and most sophisticated types of DDoS attacks – including network, protocol and application level attacks – with minimal business disruption. The cloud-based service keeps online businesses up and running at high performance levels even under attack, avoiding financial losses and serious reputation damage.

The high-capacity global network holds more than six Terabits per second (6 Tbps) of scrubbing capacity and can process more than 65 billion attack packets per second. It scales as needed to absorb the largest attacks that can overwhelm legacy appliances. Imperva incorporates crowdsourced learnings from emerging attack methods across our network, utilizing machine learning for the most up-to-date, accurate, and advanced protection.

Defense in depth

Imperva offers a complete suite of defense-in-depth security solutions providing multiple lines of defense to secure critical applications, APIs, data, and networks. 

The Imperva Application Security Platform, consisting of the web application firewall (WAF), Advanced Bot Protection, DDoS Protection, API Security and more, provides protection for all application-layer attacks as well as smokescreen DDoS assaults.