What is a Low and Slow Attack?

Low and slow attacks are an attacker or perpetrators attempt to be able to disrupt an organization or otherwise attack an organization without using volume.

Essentially, the primary point of a low and slow attack is to either get in under a volume attack, in conjunction with a volume attack or essentially hit an adversary with an attack that may be under the radar screen, somewhat obfuscated.

Low and slow attacks are HTTP oriented attacks that take advantage of legitimate connections and RC protocols, to make sure that your website and services in your businesses never function. They, by definition, are legitimate, are within standards, and however, are nefarious.

Low and slow attacks require extraordinary application-level detection and cannot be scrubbed by cloud scrubbers and require premise-based advanced application-based detection.

How Does a Low and Slow Attack Work?

Low and slow attacks aim to send slow requests to thread-based web servers. This activity prevents genuine users from accessing the service. The way this works is by relaying data very slowly, but just fast enough to avoid the server from timing out.

To carry out low and slow attacks, cybercriminals can use HTTP headers, HTTP post requests, or TCP traffic. The following are some examples of low and slow attacks:

  • The Slowloris tool connects to a server and then slowly sends partial HTTP headers. This causes the server to keep the connection open so that it can receive the rest of the headers, tying up the thread.
  • Another tool called R.U.D.Y. (R-U-DEAD-YET?) generates HTTP post requests to fill out form fields. It tells the servers how much data to expect but then sends that data in very slowly. The server keeps the connection open because it is anticipating more data.
  • Yet another type of low and slow attack is the Sockstress attack, which exploits a vulnerability in the TCP/IP 3-way handshake, creating an indefinite connection.

What Are the Signs of a Low and Slow Attack?

The most common way of identifying a low and slow attack is by carrying out a network behavioral analysis. This analysis should be carried out throughout everyday operations, and the data should be compared to times when you suspect an attack is taking place.

In other words, if an average user takes 15 seconds to complete a transaction and it’s taking them longer now, it’s highly likely that an attack is taking place. As a result, you should begin taking additional security steps.

Why Are Low and Slow Attacks Dangerous?

The detection of low and slow attacks is difficult. The primary reason is that traffic appears to be legitimate. What’s worrisome about this attack is since it doesn’t require a vast infrastructure to execute, it can be launched from one device only. This makes it virtually possible for anyone to a launch low and slow attack.

How to Mitigate and Prevent a Low and Slow Attack

To mitigate a low and slow attack, you need to begin by identifying the attack through real-time monitoring of the resources that are under attack. This monitoring includes keeping a close eye on CPU, memory, connection tables, application states, application threads, etc.

The most common method for mitigating any attack, including low and slow attacks, is by upgrading your system. In the case of low and slow attack, it means enhancing server availability. If you have an excess of available connections, you’ll rarely that you’ll experience a low and slow attack. However, you can’t be sure as the attacker could increase their attack capability.

Another possibility is to install a purpose-built Intelligent DDoS Mitigation System (IDMS). This can be done within data centers intended to protect the key applications. Additional mitigation approaches include having DDoS protection enabled. DDoS protection is designed to prevent attacks before they cause harm to your server.