What is a Slowloris Attack?
Slowloris is an application layer DDoS attack which uses partial HTTP requests to open connections between a single computer and a targeted Web server, then keeping those connections open for as long as possible, thus overwhelming and slowing down the target. This type of DDoS attack requires minimal bandwidth to launch and only impacts the target web server, leaving other services and ports unaffected. Slowloris attacks can target many type of Web server software, but has proven highly-effective against Apache 1.x and 2.x.
What Are the Signs of a Slowloris Attack?
Much as its name implies, a Slowloris attack is slow and methodical. The attack involves sending partial HTTP requests to the targeted web server, with none ever being completed. As a result, the targeted server opens more connections, assuming the requests will be completed.
Eventually, the server’s maximum allotted connection sockets are consumed one-by-one until fully exhausted, thus blocking any legitimate connection attempts. High-volume Web sites may take longer for Slowloris to completely take over, but ultimately the attack will result in all legit requests being denied.
Why Are Slowloris Attacks Dangerous?
Because Slowloris sends partial packets, instead of corrupted ones, traditional intrusion detection systems are not particularly effective at detecting this type of attack. Slowloris attacks can go on for an extended period of time if they remain undetected. Even when sockets that have been attacked time out, Slowloris will attempt to reinitiate the connection until it achieves its goal of completely overwhelming the server.
This type of attack is designed to be stealthy and hard to detect, making it particularly dangerous. Slowloris may be altered to send different host headers when targeting a virtual host where logs are stored separately. Slowloris can also prevent log file creation, which would prevent red flags from appearing in log file entries, rendering the attack invisible.
How to Mitigate and Prevent a Slowloris Attack
Slowloris attacks can be mitigated by following the following steps:
- Increase the maximum number of clients the Web server will allow
- Limit the number of connections a single IP address is allowed to attempt
- Place restrictions on the minimum transfer speed a connection is allowed
- Constrain the amount of time a client is permitted to stay connected.
In the case of Apache Web servers, several modules can be employed to prevent damage from a Slowloris attack. These modules include:
- Mod security
Apache 2.2.15 includes the module mod_reqtimeout, which is the solution supported by the developers.
Additional approaches for Slowloris DDoS protection include instituting reverse proxies, firewalls, load balancers or content switches.