What is a Slowloris DDoS Attack?

Slowloris DDoS Attack

There’s a crowded restaurant. Everyone is waiting to be seated, but a group of people keeps hogging tables without ordering food. Now, there’s a conundrum: The restaurant is almost full, new customers are waiting, but those freeloaders are still occupying a fair number of tables.

That’s basically what Slowloris DDoS attack does. Instead of hungry customers, we have internet traffic. And instead of tables, we have a website's resources. A Slowloris attack is a sneaky way to overload a website by tying up all its available resources. Here is how it works:

What is a Slowloris DDoS Attack?

A Slowloris DDoS attack is a type of cyber-attack that aims to overwhelm a web server by maintaining numerous connections open with it for as long as possible. This results in the server’s resources being exhausted, making it unable to process legitimate user requests.

The term "Slowloris" was coined by its developer, Robert "RSnake" Hansen, in 2009, combining the words "slow" (describing the attack's gradual nature) and "loris" (a type of slow-moving primate).

Slowloris stands out because it requires very little bandwidth to execute. This makes it an accessible tool for attackers who may not have the resources to launch large-scale attacks. It specifically targets the server's connection-handling ability rather than attempting to flood it with excessive traffic.

What Makes it so Scary?

The effectiveness of a Slowloris attack lies in its ability to keep the targeted server's connections open indefinitely. It does this by sending partial HTTP requests to the server, keeping the connection alive and preventing it from timing out.

By doing this repeatedly across many connections, Slowloris eventually maxes out the server’s available connections, causing it to reject new, legitimate ones. This approach allows the attacker to potentially bring down large websites with just a single machine.

61% of small to medium-sized businesses (SMBs) reported being victims of DDoS attacks, with Slowloris being one of the common methods due to its low resource requirement .

How Slowloris DDoS Attack Works

A Slowloris DDoS attack is a methodical and low-bandwidth approach to incapacitate web servers by exploiting how they manage connections.

Here is how this attack functions:

Target Selection

The attacker chooses a target, typically a web server, running specific types of software that are known to be vulnerable to Slowloris attacks, such as Apache or any server that has a large number of simultaneous connections open by default.

Initiation of Partial HTTP Requests

The attack begins with the attacker’s machine initiating multiple connections to the target server.
Instead of completing the HTTP requests, the attacker sends only the headers (or part of them) without actually sending the full request.

Maintaining Connections Open

To keep these connections alive, the attacker sends additional HTTP headers periodically. This tricks the server into thinking that a legitimate client is still sending data, preventing the server from closing these connections due to inactivity.

Resource Exhaustion

As the server continues to wait for the complete HTTP request from each connection, it allocates resources (such as memory and threads) to maintain these connections.
The server’s connection table, which manages active connections, becomes saturated as more incomplete requests keep coming in.

Maximizing Open Connections

The attacker gradually increases the number of these open connections until the server reaches its limit for simultaneous connections.
This is achieved by scripting or using dedicated tools that automate the sending of partial requests, enabling the attack to continue without manual intervention.

Denial of Service

Once the server hits its connection limit, it cannot accept any new connections, including legitimate traffic from real users.
Users attempting to access the website are either met with long loading times or are completely unable to reach the site, effectively rendering the service unavailable.

Low Resource Requirement

One of the distinctive features of a Slowloris attack is that it requires very little bandwidth and resources from the attacker. This makes it possible to execute such an attack even from a single machine or a small botnet.

Avoidance of Detection

Since Slowloris attacks do not generate significant traffic spikes, they often bypass traditional detection methods that rely on monitoring large-scale traffic anomalies.
The attack’s stealthy nature makes it harder for security teams to recognize and mitigate the threat in a timely manner.

Continuity and Persistence

The attacker continues to send incomplete requests over time, maintaining the server’s saturation and prolonging the denial of service as long as needed.
The attack can persist for hours or even days until the server is rebooted or specific countermeasures are applied.

Common Targets of Slowloris Attacks

Slowloris attacks tend to target specific types of web servers and environments that are more susceptible to this method of attack. Here are some common targets:

Target	Description
Apache Web Servers	Apache is one of the most widely used web server software and is particularly vulnerable due to its default handling of concurrent connections. Many configurations do not close idle connections quickly enough, making it a prime target for Slowloris. In 2023, 45% of web servers targeted by Slowloris were Apache servers, due to their vulnerability to this type of attack.
Shared Hosting Environments	Shared hosting providers host multiple websites on a single server. An attack on one site can affect the performance of all websites on that server. This makes shared hosting a frequent target, as a successful attack can cause widespread disruption.
Small and Medium Businesses (SMBs)	SMBs often lack robust security infrastructure and resources, making them more vulnerable to Slowloris attacks. They may not have the necessary defenses in place to detect and mitigate such attacks promptly.
Non-Distributed Server Architectures	Servers that are not distributed or do not have load balancing are more susceptible to being overwhelmed by Slowloris attacks. Single-point servers with limited capacity are easier to target.
Sites with High User Interaction	Websites that rely heavily on user interaction, such as forums, chat rooms, or online gaming platforms, are attractive targets because the impact of the downtime is more pronounced.
Legacy Systems	Older systems with outdated software may not have the necessary updates or configurations to fend off Slowloris attacks, making them more vulnerable targets.
Public Sector and Educational Institutions	These entities often run services on legacy systems and might not have the funding for advanced cybersecurity measures, making them appealing targets for attackers.

Detecting a Slowloris Attack

Unlike traditional DDoS attacks that flood servers with high traffic, Slowloris uses legitimate-looking HTTP requests at a slow pace, making it difficult to spot using standard monitoring tools:

Signs of a Slowloris Attack

High Number of Open Connections: A significant indicator of a Slowloris attack is a large number of open, idle connections on the server, consuming its resources.
Persistent Partial Requests: Requests that remain open without being completed for an extended period are another red flag.
Increased Server Load: The server might exhibit higher CPU and memory usage as it tries to manage numerous incomplete connections.
Decreased Server Performance: Users might experience slower response times or inability to access the site.
Logs with Partial HTTP Requests: Web server logs might show a pattern of incomplete or malformed HTTP requests.

Tools for Detection

Netstat: A command-line tool that displays network connections and statistics. You can use it to check for an unusually high number of open connections.
Wireshark: A network protocol analyzer that captures and analyzes packet data on the network. It can help identify unusual patterns in HTTP traffic.
Custom Scripts: Writing scripts to automate monitoring and detection of abnormal connection patterns can be effective.

1. Detecting Slowloris with Netstat

The netstat command can be used to list all current network connections. By filtering for specific criteria, you can detect potential Slowloris attacks.

Command Example:

netstat -ant | grep ':80 ' | grep 'SYN_RECV' | wc -l

-a: Shows all connections.
-n: Displays addresses and port numbers in numerical form.
-t: Lists TCP connections.
grep ':80 ': Filters for HTTP port (80).
grep 'SYN_RECV': Filters connections in the SYN_RECV state, which indicates half-open connections.
wc -l: Counts the number of connections matching the criteria.

This command helps identify the number of half-open connections on port 80, which can indicate a Slowloris attack.

2. Using Wireshark for Detection

Wireshark can be configured to capture and analyze packets. Look for patterns of incomplete HTTP requests or long-lasting connections.

‍Filter Example:

http.request.method == "GET" && tcp.flags.syn == 1

http.request.method == "GET": Filters HTTP GET requests.
tcp.flags.syn == 1: Looks for SYN packets, indicating new connection attempts.

Analyzing packet data with these filters can reveal suspicious activity associated with Slowloris attacks.

3. Writing a Python Script for Detection

You can automate Slowloris detection by writing a Python script that analyzes server connections.

Ideally, you would be looking at machine learning models and multiple scripts, but for the sake of understanding, here’s an example of a script that checks for abnormal connection patterns.

import socket
import subprocess

def get_open_connections():
    # Execute netstat command to get open connections
    result = subprocess.run(['netstat', '-ant'], capture_output=True, text=True)
    return result.stdout

def detect_slowloris_attack(threshold=100):
    connections = get_open_connections()
    syn_recv_count = connections.count('SYN_RECV')
    
    if syn_recv_count > threshold:
        print("Potential Slowloris attack detected!")
        print(f"Number of SYN_RECV connections: {syn_recv_count}")
    else:
        print("No signs of Slowloris attack detected.")
        
if __name__ == "__main__":
    detect_slowloris_attack()

get_open_connections(): Runs the netstat command and retrieves open connections.
detect_slowloris_attack(threshold): Checks if the number of connections in the SYN_RECV state exceeds the threshold.
syn_recv_count: Counts occurrences of SYN_RECV, indicating half-open connections.
Threshold: Set to a value that represents normal traffic; adjust based on server capacity and expected load.

For proper mitigation strategies, you can check this answer on: Why are DDoS Attacks Increasing and How to Mitigate?

Conclusion

To sum it up, a slowloris attack is a sneaky way of stalling server resources, and making it implode on itself. This can have serious implications, especially for businesses that rely heavily on their online presence. However, solutions from rate limiting to reverse proxies exist to combat the attack.

‍

Published on:

August 20, 2024