Slowloris DDoS attack

The Slowloris attack attempts to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections to the target.

What is a Slowloris DDoS attack?

Slowloris is a denial-of-service attack program that allows an attacker to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target.

How does a Slowloris attack work?

Slowloris is an application layer attack that operates by utilizing partial HTTP requests. The attack functions by opening connections to a targeted Web server and keeping those connections open as long as possible.

Slowloris is not a category of attack but a specific attack tool designed to allow a single machine to take down a server without much bandwidth. Unlike bandwidth-consuming reflection-based DDoS attacks such as NTP amplification, this attack uses low bandwidth. Instead, it aims to use up server resources with requests that seem slower than normal but otherwise mimic regular traffic. It falls in the category of attacks known as “low and slow” attacks. The targeted server will only have many threads available to handle concurrent connections. Each server thread will attempt to stay alive while waiting for the slow request to complete, which never occurs. When the server’s maximum possible connections have been exceeded, each additional connection will not be answered, and denial-of-service will occur.

A Slowloris attack occurs in 4 steps:

1. The attacker opens multiple connections to the targeted server by sending multiple partial HTTP request headers.
2. The target opens a thread for each incoming request, intending to close the thread once the connection is completed. To be efficient, the server will timeout the exceedingly long connection if a connection takes too long, freeing the thread up for the subsequent request.
3. To prevent the target from timing out the connections, the attacker periodically sends partial request headers to the target to keep the request alive. In essence, saying, “I’m still here! I’m just slow; please wait for me.”
4. The targeted server can never release any open partial connections while waiting for the termination of the request. Once all available threads are in use, the server cannot respond to additional requests from regular traffic, resulting in denial of service.

The key behind a Slowloris is its ability to cause much trouble with very little bandwidth consumption.

How is a Slowloris attack mitigated?

For web servers vulnerable to Slowloris, there are ways to mitigate some of the impact. Mitigation options for vulnerable servers can be broken down into 3 general categories:

1. Increase server availability – Increasing the maximum number of clients the server will allow at any one time will increase the number of connections the attacker must make before overloading the server. Realistically, an attacker may scale the number of attacks to overcome server capacity regardless of increases.
2. Rate limit incoming requests – Restricting access based on specific usage factors will help mitigate a Slowloris attack. Techniques such as limiting the maximum number of connections a single IP address can make, restricting slow transfer speeds, and limiting the maximum time a client is allowed to stay connected are all approaches for limiting the effectiveness of low and slow attacks.
3. Cloud-based protection – Use a service that can function as a reverse proxy, protecting the origin server.