Slowloris is a layer 7 DDoS attack that targets web servers and applications. The Slowloris DDoS attack attempts to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections to the target. Much as its name implies, a Slowloris DDoS attack is slow and methodical. It involves sending partial HTTP requests to the targeted web server, with none of these requests actually completed, thus the targeted server opens more connections, “waiting” for the requests to be completed. This creates a flood of open requests, building up methodically until the server is overwhelmed.
The Slowloris DDoS attack is named after a type of slow-moving Asian primate, and just like the primate – it is slow but poisonous. The Slow lorises primates have a toxic bite, a rare trait among mammals and unique among the primates. And just like its primate inspiration, the Slowloris DDoS attack waits for sockets to be released by legitimate requests before consuming them one by one, thus poisoning its target. Just like one should not be fooled by the primate’s cuddly appearance, CISO’s and cyber security experts should not be dismissive of the Slowloris DDoS attack. It is not a new attack vector, and its roots go a long way back, but in recent years, we’ve seen a growing number of Slowloris DDoS attacks.
The Slowloris DDoS Attack Origins
The Slowloris DDoS attack was developed by Robert Hansen, AKA “RSnake”, an American computer hacker, executive, and entrepreneur. Slowloris is DDoS attack software that enables a single machine to attack and eventually disable a web server. Due to the simple but elegant nature of the Slowloris DDoS attack, it requires minimal bandwidth and affects the target’s server with almost no side effects on other services and ports. The Slowloris DDoS attack has proven to be very effective against many popular types of web-based services, most notably Governmental and BFSI services.
Over the years, the Slowloris DDoS has been credited with several high-profile, successful DDoS attacks. Notable examples include the use by an Iranian hacktivist group following the 2009 Iranian presidential election to attack Iranian government websites, and several large-scale DDoS attacks in 2008 and 2009, following the conflict between Russia and Georgia. These DDoS attacks included taking down Russian media and governmental sites in 2008 and many Georgian sites. Sadly, the Slowloris DDoS attack vector is a free and open-source tool that’s available for any threat actor who wishes to use it, and it’s extremely easy to find. It’s a framework written in python, and it requires vast experience in executing DDoS attacks.
Why DDoS Perpetrators Love the Slowloris DDoS Attack
The Slowloris is a layer 7 DDoS attack, and layer 7 is the application layer of the OSI model that focuses on the HTTP protocol, the Internet protocol that is the basis of browser-based Internet requests. The HTTP protocol is commonly used to send form contents over the Internet or to load web pages and is the foundation of data communication for the World Wide Web. The Slowloris DDoS attack is a “low and slow” DDoS attack vector. Slowloris saturates the entire TCP stack of the HTTP/S flow, slowly opening connections and then sending an incomplete request in an attempt to keep the connection alive as long as possible. The Slowloris DDoS attack does this slowly, and in some cases, it would be possible for a single attacking machine to take down a web server.
When the number of connections reaches its limit on the attacked server, the server can no longer respond to legitimate requests from other users, effectively causing a denial of service. The Slowloris DDoS attack aims to fill up the connections table, making it unavailable to serve new legitimate requests from legitimate users. This is accomplished using two primary functionalities:
-
Unstable new connections opening rate
new TCP connections are requested in bursts while waiting sometimes between each burst, making it difficult to be detected by rate-based mitigation.
-
Maintain newly established TCP connections
newly established TCP connections are maintained by sending partial data through multiple HTTP requests, using the same TCP connection. This forces the target to keep connections open while consuming connections table space and memory usage. A constantly growing number of open connections from an attacking machine (keeping those connections alive) can be considered as a high probability sign of the Slowloris DDoS attack.
During a Slowloris DDoS attack, the attack vector can be configured to suppress the creation of a log file. This means that the DDoS attack can “catch” unmonitored servers off-guard, without any red flags appearing in the entries of the log file. For a high-volume site or service, the entire attack can take some time, and the damage is done consistently and methodically. The Slowloris DDoS attack can be further slowed if legitimate sessions are reinitiated. But in the end, if the Slowloris DDoS attack isn’t mitigated, the damage can be severe, both in imitate damages (reputational and operational) and in the downtime required for remediation.
What Should Organizations Do to Avoid the Slowloris DDoS Attack?
In order to properly set up mitigation layers to be DDoS resilient, organizations must be proactive and constantly conduct DDoS tests, exposing the vulnerabilities in the dynamic attack surface and performing prioritized remediation actions. These steps can be taken quickly and effectively, which can prevent downtime, reputational damages, and disruption to production. By testing all known DDoS attack vectors, including the Slowloris DDoS attack, against all targets continuously and non-disruptively, an organization can uncover and remediate unknown DDoS mitigation vulnerabilities for over 200% average improvement in DDoS resilience.
