Slowloris (cyber attack)
Software for executing a denial-of-service attack
From Wikipedia, the free encyclopedia
Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. It is the prototypical slow DoS attack tool.
| Slowloris | |
|---|---|
 Slowloris running on Command Prompt | |
| Initial release | 17 June 2009 |
| Stable release | 0.7
|
| Written in | Perl |
| Platform | Cross-platform |
| Size | 36 KB |
| Type | Hacking tool |
| Website | ha.ckers.org/slowloris/ |
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.[1]
The program was named after slow lorises, a group of primates which are known for their slow movement.
Affected web servers
This includes but is not necessarily limited to the following, per the attack's author:[1]
- Apache 1.x and 2.x
- dhttpd
- Websense "block pages" (unconfirmed)
- Trapeze Wireless Web Portal (unconfirmed)
- Verizon's MI424-WR FIOS Cable modem (unconfirmed)
- Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed)
- BeeWare WAF (unconfirmed)
- Deny All WAF (patched)[2]
- Flask (development server)
The following are disputed (not affected according to author but affected according to PowerWAF):
Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as Varnish, nginx, and Squid have been recommended[4] to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,[5] IIS, lighttpd, Cherokee, and Cisco CSS.[1]
Affected by variants
slowloris.pl (the original version) offers the following options:[6]
- Choice of DNS server and target port.
- Choice of HTTP timeout, connection count, local TCP timeout.
- Avoidance of HTTP cache (not well-tested)
- Avoidance of httpready protection by substituting GET for POST
- Option to use more than one
Host:parameter for virtual hosting-enabled targets. This often results in attack connections being logged to separate log files, making it stealthier. - Option to use HTTPS instead of HTTP. This simply applies the attack on the enacpsulated HTTP connection and is not an attack on the SSL/TLS handshake. Not very useful per the author.
PowerWAF claims that there is a variant attack on the SSL/TLS handshake process. The following are allegedly affected:
Mitigating the Slowloris attack
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod_security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.[1][7] Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.[8]
Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.[9] Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.[1] (However, nginx suffers from a similar goloris attack which substitutes the HTTP GET with HTTP POST; the ngx_http_limit_conn_module is the author's recommended solution.)[10]
Notable usage
During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government.[11] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.[12] A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.[13]
A variant of this attack was used by spam network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once.[14] (See Slow DoS attack for more information on similar attacks.)
Similar software
Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:[15]
- PyLoris – A protocol-agnostic Python implementation supporting Tor and SOCKS proxies.[16]
- Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.[17]
- Goloris – Slowloris for nginx, written in Go.[10]
- slowloris - Distributed Golang implementation[18]
- QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a Qt front end.[19]
- An unnamed PHP version which can be run from a HTTP server.[20]
- SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.[21][22]
- SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.[23]
- Cyphon - Slowloris for Mac OS X, written in Objective-C.[24]
- sloww - Slowloris implementation written in Node.js.[25]
- dotloris - Slowloris written in .NET Core[26]
- SlowDroid - An enhanced version of Slowloris written in Java for running on Android, reducing at minimum the attack bandwidth[27]