Understanding the Slowloris Attack

Understanding the Slowloris Attack

The Slowloris attack is a type of denial-of-service (DoS) attack that targets web servers by exhausting their resources, specifically by opening and maintaining numerous incomplete HTTP connections. This relatively low-profile yet effective attack is named after the “Slowloris,” a lethargic primate, reflecting the deliberate and gradual nature of the exploit. Unlike high-bandwidth DoS attacks, which overwhelm servers with massive traffic bursts, the Slowloris attack applies a persistent, methodical approach to disrupt normal server operations without relying on large-scale botnets or unusually high network traffic.

How the Slowloris Attack Works

The attack exploits the way HTTP servers handle connections. Most web servers adhere to certain timeout settings to allow incomplete HTTP headers to be fully received. The Slowloris attacker sends HTTP requests piece by piece at irregular intervals, ensuring the connection remains open but incomplete. By keeping multiple connections in a half-open state, the attacker consumes server resources, such as available threads or file descriptors, until the server can no longer handle new legitimate requests.

A Slowloris attack typically works as follows:

1. **Establishment of Connection:** The attacker opens multiple connections to the target web server.
2. **Partial HTTP Requests:** Instead of sending a full HTTP request, the attacker only transmits tiny packets of data, such as an HTTP header field (HOST, Content-Length, etc.), keeping these incomplete.
3. **Session Maintenance:** The attacker periodically sends small, incomplete packets to maintain each connection and prevent the server’s timeout mechanisms from closing the sessions.
4. **Exhaustion of Resources:** By holding multiple connections open indefinitely, the server runs out of available resources, leading to the denial of access for legitimate users.

What the Traffic Looks Like

The traffic generated by a Slowloris attack can appear deceptively normal, which is why it can bypass basic intrusion detection systems. However, a closer inspection can reveal specific patterns, such as:

• **Unfinished HTTP Headers:** Many connections will include headers that are incomplete or only partially transmitted, e.g., "GET / HTTP/1.1\r\nHost:" followed by prolonged gaps.
• **Frequent but Minimal Packets:** Network traces will show repeated, intermittent small packets, often only a few bytes long, sent periodically from the same origin.
• **No Data Saturation:** Unlike volumetric attacks, Slowloris does not flood the network with high-bandwidth traffic.
• **High Number of Open Sockets:** The attacking IP address will have an unusually high number of simultaneous connections to the target server.

A typical packet that is non-malicious might look like:

GET /index.html HTTP/1.1
Host: www.example.com
Connection: keep-alive

In contrast, a Slowloris packet might look like:

GET / HTTP/1.1\r\n
Host: target-server\r\n
X-a: b

Notice that this is not finished—there’s no final \r\n\r\n.

This slow trickle of data keeps the server engaged, consuming resources without completing valid requests.

How to Detect a Slowloris Attack

Detecting a Slowloris attack requires observing specific traffic patterns and anomalies in HTTP connections. Some practical steps include:

• **Monitoring Connection States:** Use server logs or tools like netstat to identify a suspiciously high number of half-open connections originating from a small set of IP addresses.
• **Analyzing HTTP Headers:** Examine the packets’ header completion rates. A large number of connections with incomplete header data is a key red flag.
• **Setting Custom Alerts:** Configure alerts for unusual session durations or a sudden spike in connections with minimal data throughput.

Tools such as Wireshark can be used to capture and scrutinize packets, while server diagnostic tools like Apache mod_status or NGINX logs allow administrators to analyze active connections in real-time.

Mitigation and Prevention Techniques

Stopping a Slowloris attack requires a combination of proactive server configurations and reactive measures. Below are some key strategies:

1. **Shorten Timeouts:** Configure your web server to reduce the allowable time for incomplete HTTP headers or idle connections:

• **Apache**: Use RequestReadTimeout in the server’s configuration.
• **NGINX**: Set client_header_timeout to enforce stricter limits.

1. **Limit Connection Rates and IPs:** Implement rate-limiting mechanisms to restrict the number of concurrent connections from a single IP address.

• Example: Using tools like mod_evasive for Apache or ngx_http_limit_conn_module for NGINX.

1. **Deploy a Reverse Proxy or Load Balancer:** Tools like HAProxy can handle and filter traffic, offloading suspicious connections without impacting the backend server.

2. **Use Web Application Firewalls (WAF):** A WAF can identify patterns associated with Slowloris attacks and block suspicious activity.
3. **Idle Connection Management:** Some modern web servers or services utilize mechanisms like SYN cookies to limit resource usage for incomplete connections.
4. **Automated Blocking of Malicious IPs:** Utilize Intrusion Detection and Prevention Systems (IDPS), such as Snort or Suricata, to detect repetitive small-packet traffic and dynamically block malicious IP addresses.

By combining these defensive measures with continuous monitoring and updating of network configurations, servers can significantly reduce their susceptibility to Slowloris attacks while ensuring availability for legitimate users.