Back in the year 2009, there were a series of cybersecurity incidents in Iran that were carried out against Iranian government websites by hacktivists in the region. The primary form of attack? Something called a Slowloris attack. Despite the benign-sounding name, a Slowloris attack can be quite effective when deployed properly. It is not able to easily be detected by normal network security defenses, which makes it very difficult to defend against.
Read on to find out just how this simple yet brilliant attack works. Also, read on to find out how you can defend against it.
A Slowloris attack is a type of Distributed-Denial-of-Service attack. Created by a hacker named RSnake, the attack is carried out by a piece of software called Slowloris. The name is derived from the Asian primate; however unlike the real Slow loris, this attack is not adorable. Slowloris allows a single device, such as a personal computer, to take down a server.
Though it originates from one device, which would ordinarily make it a Denial-of-Service attack, it becomes a DDoS attack as it uses multiple connections to attack a server. It can do this without putting a strain on bandwidth. Additionally, it targets the victim’s server only, making it a very efficient attack as no untargeted ports are affected.
The result is a server that is put out of commission without the use of a traditional botnet. This makes Slowloris attack somewhat more advantageous to use, as it is not as “loud” as a full-force attack from thousands of zombie machines. Firewalls can pick up traffic from script kiddies deploying a botnet without any real technical knowledge. When you fire thousands of malformed packets in, say, a span of 10 minutes, most NetSec professionals will notice it.
With a Slowloris attack, however, fewer alarm bells are set off. An IDS (Intrusion Detection System) will be less likely to shut an attack down that is precision-targeted. There are no “malicious” packets being sent during the attack, just incomplete HTTP requests and headers. Additionally, the requests are sent at a relaxed pace so as not to arouse suspicion.
It should be noted that this attack is effective, but it is very slow (hence the pithy name). It can take a long time for the connection to become overloaded with HTTP requests. This goes especially for large websites, such as the Iranian government websites in the infamous 2009 attacks.
It is impossible to prevent a Slowloris attack. Despite this, there are some steps that one can take to mitigate the threat it poses. One step that can be taken is configuring a server to allow more clients (i.e., raise the maximum limit). Another is to force the server to limit IP addresses in terms of how many connections it can have. Some other tactics include shutting down connections at a faster rate and restricting the minimum connection speed.
The way these tactics mitigate a Slowloris are fairly simple. These configurations effectively kneecap an attacker by not allowing the very conditions they need. Without the ability to stay connected for long periods, and without numerous connections sending out HTTP requests, the Slowloris attack becomes difficult to pull off.
This is not a bulletproof plan, as the attack can still be attempted. All an attacker needs is a lot of time on their hands and patience. There are still more methods one can try, however, like certain firewall configurations and reverse proxies. These also have their limitations, though, and cannot entirely prevent the Slowloris attack.