FlagHack logoFlag{Hack} Coming Soon

Slowloris

Slowloris is a type of Denial of Service (DoS) attack that targets web servers by holding many connections open simultaneously and sending partial HTTP requests. It works by sending headers very slowly, one at a time, to keep each connection alive for as long as possible. This prevents the server from closing idle connections, eventually exhausting its connection pool and denying access to legitimate users.

Impact

Slowloris is particularly dangerous for servers that allocate a thread or process per connection, such as Apache. It can bring down a web server with minimal bandwidth from a single machine. Because it uses legitimate HTTP requests, it's harder to detect and block using traditional traffic-based thresholds, making it a stealthy and effective attack method.

Discoverability

Detecting a Slowloris attack can be difficult because the traffic appears legitimate and doesn't spike in volume. However, a high number of concurrent connections with very slow request rates or incomplete HTTP headers can be a red flag. Server logs and behavioral monitoring tools can help spot the unusually persistent open connections that Slowloris creates.

Tools

  • Slowloris (Perl script): The original tool created by hacker RSnake, still widely used and effective against vulnerable servers.
  • SlowHTTPTest: An open-source testing tool that simulates Slowloris and other slow-rate HTTP attacks with detailed configuration options.
  • THC-Slowloris: A fork of the original tool with additional features like SSL support and customizable headers.

Protection

  • Reverse Proxies and Load Balancers: Tools like NGINX or HAProxy can drop incomplete requests after a timeout, shielding the backend server.
  • Apache Modules (mod_reqtimeout): Sets timeouts and minimum data rate thresholds to automatically close suspiciously slow connections.
  • Fail2Ban: Can monitor logs for slow connection patterns and block offending IPs.
  • Cloud WAFs and CDN Services: Services like Cloudflare offer protection against Slowloris by terminating suspicious connections at the edge.