What is a Slow Read Attack?

What is a Slow Read Attack?

A slow read DDoS attack involves an attacker sending an appropriate HTTP request to a server, but then reading the response at a very slow speed, if at all. By reading the response slowly – sometimes as slow as one byte at a time – the attacker prevents the server from incurring an idle connection timeout.  Since the attacker sends a Zero window to the server, the server assumes the client is actually reading the data and therefore keeps the connection open. This has the cumulative effect of consuming server resources, thus preventing legitimate requests from going through.

A Slow Read attack is characterized by a very low number for the TCP Receive Window size, while at the same time draining the attacker’s TCP receive buffer slowly. This in turn creates a condition where the data flow rate is extremely low.

What Are the Signs of a Slow Read Attack?

What Are the Signs of a Slow Read Attack?

Similar to a Slow Post attack, a slow read attack will result in the connection staying open for a long time.  If the attacker establishes multiple connections, for example by using a DDoS Botnet, he/she will be able to fill up the connection tables, resulting in legitimate users not being able to access the services.  The indicators will be that the server has large amount of connections, but very little traffic is sent or received.

Why Are Slow Read Attacks Dangerous?

Why Are Slow Read Attacks Dangerous?

Because Slow Read and other application layer attacks don’t require extensive bandwidth, unlike brute-force DDoS attacks, they can be difficult to differentiate from normal traffic. Since these attacks don’t require a great deal of resources, they can be instigated from a single computer, making them very easy to launch and difficult to mitigate. 

Mitigation Tips For Slow Read Attacks

Mitigation Tips For Slow Read Attacks

Since traditional rate detection techniques won’t stop a Slow Read attack, one mitigation method is to upgrade server capacity. Logically, with more connections available on the server, an attack is less likely to overwhelm that server. Unfortunately, in many cases, the attacker will simply scale up the attack to attempt to overwhelm the increased server capacity.

Another mitigation approach is reverse-proxy-based protection, which will intercept Slow Read attacks prior to reaching the server. While no mitigation method will completely eliminate the threat of Slow Read attacks, the following are additional steps that can be taken:

  • Set an absolute connection timeout based on the median of connections from legitimate clients.
  • Establish a minimum incoming data rate, then drop any connections that are slower than that rate.
  • Consider adding further DDoS mitigation measures such as event-driven software load balancers, hardware load balancers to perform delayed binding, and intrusion detection/prevention systems to drop connections that match suspect behavior patterns gleaned from log files.