What is a Low and Slow Attack?
A low and slow attack, also known as a slow-rate attack, involves what appears to be legitimate traffic at a very slow rate. This type of state exhaustion attack targets application and server resources and is difficult to distinguish from normal traffic. Common attack tools include Slowloris, Sockstress, and R.U.D.Y. (R U Dead Yet?), which create legitimate packets at a slow rate, thus allowing the packets to go undetected by traditional mitigation strategies.
Low and slow attacks are often HTTP focused, but can also involve Long-Lived TCP sessions (slow transfer rates) that attack any TCP-based service.
What Are the Signs of a Low and Slow Attack?
Detecting a low and slow attack can be accomplished by performing network behavioral analysis during normal operations and then comparing this data to periods when an attack might be occurring. For instance, if a user requires considerable increased time to complete a transaction that normally would only take 10 seconds, then an attack is likely taking place and additional security steps should be taken.
Why Are Low and Slow Attacks Dangerous?
Traffic from low and slow attacks is especially hard to detect because they appear like legitimate traffic on the Application Layer to network focused security devices. And since these types of attack don’t require extensive resources to execute, they can be launched from a single computer, making it possible for virtually anyone to launch such an attack. The increased proliferation of vulnerable IoT devices, makes it easy for attackers to build huge Botnets which can participate in such a DDoS attack, resulting in the destination system being unable to service legitimate requests.
How to Mitigate and Prevent a Low and Slow Attack
Detecting low and slow attacks necessitates real-time monitoring of the resources under attack, such as CPU, memory, connection tables, application states, application threads, etc. One method for mitigating low and slow attacks is by upgrading and improving server availability. By having more connections available, it is less likely a server will be overwhelmed by an attack. However, the attacker may simply scale their attack to overcome the available resources.
Another option is to deploy a purpose-built Intelligent DDoS Mitigation System (IDMS) in data centers that run the key applications you are trying to protect. These IDMS can be further tuned to protect the applications/services running behind them.
Additional mitigation approaches might include reverse-proxy based DDoS protection, which is designed to prevent attacks before they can reach the origin server.
Constant monitoring of the status of resource allocation and trends of protected servers, can help to pin point attempts to overwhelm those resources.