What is a Slow Post DDoS Attack?
In a Slow Post DDoS attack, the attacker sends legitimate HTTP POST headers to a Web server. In these headers, the sizes of the message body that will follow are correctly specified. However, the message body is sent at a painfully low speed. These speeds may be as slow as one byte every two minutes.
Since the message is handled normally, the targeted server will do its best to follow specified rules. As in a Slowloris attack, the server will subsequently slow to a crawl. Making matters worse, when attackers launch hundreds or even thousands Slow POST attacks at the same time, server resources are rapidly consumed, making legitimate connections unachievable.
What Are the Signs of a Slow Post DDoS Attack?
Slow Post DDoS attacks are characterized by the transmission of HTTP post header requests that target thread-based web servers, sending data extremely slowly, but not slowly enough for the server to time out. Because the server keeps the connection open in anticipation of additional data, genuine users are prevented from accessing the server. The servers would appear to be have a large number of connected clients but the actual processing load would be very low.
Why Are Slow Post DDoS Attacks Dangerous?
Because Slow Post DDoS attacks don’t require extensive bandwidth, such as is needed with brute-force DDoS attacks, they can be difficult to differentiate from normal traffic. Since these types of application layer DDoS attacks don’t require a great deal of resources, they can be instigated from a single computer, making them very easy launch and hard to mitigate.
How to Mitigate and Prevent a Slow Post DDoS Attack
Since traditional rate detection techniques won’t stop a Slow Post DDoS attack, one method is to upgrade server availability. The thinking is that the more connections that are available on the server, the less likely an attack will overwhelm that server. Unfortunately, in many cases, the attacker will simply scale up the attack to attempt to overload the increased server capacity.
Another approach is reverse-proxy-based protection, which will intercept Slow Post DDoS attacks prior to reaching the server.
While no measures will completely eliminate the threat of Slow Post DDoS attacks, the following are additional steps that can be taken:
- Set tighter URL-specific limits for every resource that accepts a message header and body.
- Set an absolute connection timeout based on the median of connections from legitimate clients.
- For HTTP servers that support a backlog, ensure the backlog is large enough to withstand a small DDoS attack.
- Establish a minimum incoming data rate, then drop any connections that are slower than that rate.
- Consider adding further DDoS protection measures such as event-driven software load balancers, hardware load balancers to perform delayed binding, and intrusion detection/prevention systems to drop connections that match suspect behavior patterns gleaned from log files.