Slow Loris DoS Attack
Summary
Description what this documentation is about
Description
Slow Loris was invented by Robert Hansen “RSnake” and got published in June 2009. This Denial of service (DoS) Attack belongs of the category of Low and Slow Attacks. This type of DoS attack doesn't need a tremendous amount of computing power or bandwidth to make a big impact. Furthermore, it is possible to take down a small website with the use of only PC that doesn’t even runs under full load during the attack.
The attack works only at a portion of Web server programs like Apache because it attacks a specific design decision of the connection management. Apache is designed to allow only a predefined number of connections, which can be edited in the configuration file. The sow loris this vulnerability by opening a huge amount of connections and keeps them alive during the attack. This fills up the available connections of the web server and restricts a legitimate user to access the web server.
The Slow Loris attack is keeping all its connections alive by exploiting another inconvenience of the http protocol. Http is designed to keep connections alive until the whole the whole Request is sent or there is not send any data for a period of time and a timer exceeds. This design decision is needed for extremely slow connections, which are quite common in 1991 when HTTP came out. Slow Loris is abusing this feature by never ending the and sending little header packets of a handful bytes.
Bild
Figure 1 shows one http connection of the original implementation. It starts by sending the Get request line followed by the User agent information and the accepted language. Then the exploit takes place by sending a random number to the X-a HTTP header field every fifteen seconds without closing the request. HTTP allows custom header fields which always start with “X-”.
Affected Webservers
=== Examine the Source code of slowloris.py