What is a Slowloris Attack?
Slowloris is an application layer DDoS attack which uses partial HTTP requests to open connections between a single computer and a targeted Web server, then keeping those connections open for as long as possible, thus overwhelming and slowing down the target. This type of DDoS attack requires minimal bandwidth to launch and only impacts the target web server, leaving other services and ports unaffected. Slowloris DDoS attacks can target many types of Web server software, but has proven highly-effective against Apache 1.x and 2.x.
What Are the Signs of a Slowloris DDoS Attack?
Much as its name implies, a Slowloris DDoS attack is slow and methodical. The attack involves sending partial HTTP requests to the targeted web server, with none ever being completed. As a result, the targeted server opens more connections, assuming the requests will be completed.
Eventually, the server’s maximum allotted connection sockets are consumed one-by-one until fully exhausted, thus blocking any legitimate connection attempts. High-volume Web sites may take longer for Slowloris to completely take over, but ultimately the DDoS attack will result in all legit requests being denied.
NETSCOUT Protects Against Slowloris DDoS Attacks
Why Are Slowloris DDoS Attacks Dangerous?
Because Slowloris sends partial packets, instead of corrupted ones, traditional intrusion detection systems are not particularly effective at detecting this type of DDoS attack. Slowloris DDoS attacks can go on for an extended period of time if they remain undetected. Even when sockets that have been attacked time out, Slowloris will attempt to reinitiate the connection until it achieves its goal of completely overwhelming the server.
This type of DDoS attack is designed to be stealthy and hard to detect, making it particularly dangerous. Slowloris may be altered to send different host headers when targeting a virtual host where logs are stored separately. Slowloris can also prevent log file creation, which would prevent red flags from appearing in log file entries, rendering the attack invisible.
How to Mitigate and Prevent a Slowloris DDoS Attack
Slowloris DDoS attacks can be mitigated by following the following steps:
- Increase the maximum number of clients the Web server will allow
- Limit the number of connections a single IP address is allowed to attempt
- Place restrictions on the minimum transfer speed a connection is allowed
- Constrain the amount of time a client is permitted to stay connected.
In the case of Apache Web servers, several modules can be employed to prevent damage from a Slowloris DDoS attack. These modules include:
- Mod security
Apache 2.2.15 includes the module mod_reqtimeout, which is the solution supported by the developers.
Additional approaches for Slowloris DDoS protection include instituting reverse proxies, firewalls, load balancers or content switches.