How To Mitigate Slow HTTP DoS Attacks in Apache HTTP Server

Slow HTTP DoS Attacks and How to Mitigate Them in Apache HTTP ServerA Slow HTTP Denial of Service (DoS) attack, otherwise referred to as Slowloris HTTP DoS attack, makes use of HTTP GET requests to occupy all available HTTP connections permitted on a web server.

A Slow HTTP DoS Attack takes advantage of a vulnerability in thread-based web servers which wait for entire HTTP headers to be received before releasing the connection. While some thread-based servers such as Apache make use of a timeout to wait for incomplete HTTP requests, the timeout, which is set to 300 seconds by default, is re-set as soon as the client sends additional data.

This creates a situation where a malicious user could open several connections on a server by initiating an HTTP request but does not close it. By keeping the HTTP request open and feeding the server bogus data before the timeout is reached, the HTTP connection will remain open until the attacker closes it. Naturally, if an attacker had to occupy all available HTTP connections on a web server, legitimate users would not be able to have their HTTP requests processed by the server, thus experiencing a denial of service.

This enables an attacker to restrict access to a specific server with very low utilization of bandwidth. This breed of DoS attack is starkly different from other DoS attacks such as SYN flood attacks which misuse the TCP SYN (synchronization) segment during a TCP three-way-handshake.

How it works

An analysis of an HTTP GET request helps further explain how and why a Slow HTTP DoS attack is possible. A complete HTTP GET request resembles the following.

GET /index.php HTTP/1.1[CRLF]
Pragma: no-cache[CRLF]
Cache-Control: no-cache[CRLF]
Host: testphp.vulnweb.com[CRLF]
Connection: Keep-alive[CRLF]
Accept-Encoding: gzip,deflate[CRLF]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36[CRLF]
Accept: */*[CRLF][CRLF]

Something that is of particular interest is the [CRLF] in the GET request above. Carriage Return Line Feed (CRLF), is a non-printable character that is used to denote the end of a line. Similar to text editors, an HTTP request would contain a [CRLF] at the end of a line to start a fresh line and two [CRLF] characters to denote a blank line. The HTTP protocol defines a blank line as the completion of a header. A Slow HTTP DoS takes advantage of this by not sending a finishing blank line to complete the HTTP header.

To make matters worse, a Slow HTTP DoS attack is not commonly detected by Intrusion Detection Systems (IDS) since the attack does not contain any malformed requests. The HTTP request will seem legitimate to the IDS and will pass it onto the web server.

Identifying and Mitigating Slow HTTP DoS Attacks

Slow HTTP DoS attacks are only significantly effective against thread-based web servers such as Apache and dhttpd and not against event-based web servers such as nginx and lighttpd which are built to handle large numbers of simultaneous connections.

Acunetix Web Vulnerability Scanner is capable of identifying Slow HTTP DoS attacks. When running a scan on a website that is vulnerable to a Slow HTTP DoS attack, an alert is raised by Acunetix Web Vulnerability Scanner that looks similar to hereunder.

Slow HTTP Denial of Service Attack Alert

 

Preventing and Mitigating Slow HTTP DoS Attacks in Apache HTTP Server

A number of techniques exist for preventing and mitigating slow HTTP DoS attacks in Apache HTTP server. A description of three of the most popular and easiest to implement techniques are listed hereunder. Of course other techniques for preventing and mitigating slow HTTP DoS attacks exist; namely through the use of load balancers and iptables.

Using mod_reqtimeout

Since Apache HTTP Server 2.2.15, mod_reqtimeout is included by default. mod_reqtimeout can be used to set timeouts for receiving the HTTP request headers and the HTTP request body from a client. As a result, if a client fails to send header or body data within the configured time, a 408 REQUEST TIME OUT error is sent by the server.

The following is an example of a configuration that can be used with mod_reqtimeout.

<IfModule mod_reqtimeout.c>
  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

The above configuration allows up to 20 seconds for header data to be sent by a client. Provided that a client sends header data at a rate of 500 bytes per second, the server will allow a maximum 40 seconds for the headers to complete.

Additionally, the configuration will allow for up to 20 seconds for body data to be sent by the client. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.

Using mod_qos

mod_qos is a quality of service module for the Apache HTTP Server which allows the implementation of control mechanisms that can provide different levels of priority to different HTTP requests.

The following is an example of how to configure mod_qos to mitigate slow HTTP DoS attacks.

<IfModule mod_qos.c>
   # handle connections from up to 100000 different IPs
   QS_ClientEntries 100000
   # allow only 50 connections per IP
   QS_SrvMaxConnPerIP 50
   # limit maximum number of active TCP connections limited to 256
   MaxClients 256
   # disables keep-alive when 180 (70%) TCP connections are occupied
   QS_SrvMaxConnClose 180
   # minimum request/response speed (deny slow clients blocking the server, keeping connections open without requesting anything
   QS_SrvMinDataRate 150 1200
</IfModule>

The above configuration tracks up to 100,000 connections and limits the server to a maximum of 256 connections. In addition, the configuration limits each IP address to a maximum of 50 connections and disables HTTP KeepAlive when 180 connections are used (70% of the connections in this case). Finally, the configuration requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when MaxClients is reached.

Using mod_security

mod_security is an open source web application firewall (WAF) that may be used with Apache HTTP server. mod_security makes use of rules that can be applied to carry out specific functions.

The following rules may be used to mitigate a slow HTTP DoS attack.

SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass,
setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'1234123456'"

SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop,
msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'1234123457'"

The above rules identifies when Apache HTTP server triggers a 408 status code and tracks how many times this happened while keeping the data in IP-based persistent storage so it can correlate across requests. If this event has happened more than 5 times in 60 seconds, subsequent requests for that IP address will be dropped by mod_security for a period of 5 minutes.

Share this post
  • I’d like to ask a question about your mod_security rules for mitigating Slow HTTP DoS attacks.

    In your description of the 4th and 5th lines in the mod_security rules, you say “subsequent requests for that IP address will be dropped by mod_security for a period of 5 minutes.” Is this period of “5 minutes” default one of the “drop” action? Can I change the period? If I can change it, I’d like the way to change it.

    Best Regards,
    Takeshi Okamoto

    • @Takeshi Okamoto:

      If you haven’t figured out your answer yet I think this might help. The ‘drop’ action does not drop for a set amount of time, it terminates the connection by sending a FIN packet. So the second rule shown above says if the variable IP:SLOW_DOS_COUNTER is greater than 5 drop the connection and log it with that message. The ‘expirevar’ variable will expire the given variable in the set amount of time in seconds. In this case the IP:SLOW_DOS_COUNTER variable will expire after 60 seconds. So according to the first rule a 408 response status must happen at least 6 times for the connection to be dropped. Assuming that this pattern continues of at least six 408 responses every 60 seconds then the connection will continue to be dropped. I may be wrong about this but I believe the author is mistaken that subsequent request will be dropped for 5 minutes. To me the two rules just say if more then five 408 responses happen in 60 seconds then drop the connection and after 60 seconds expire the variable. Here is a link to ModSecurity docs for the definition on everything: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual. You can change these rules he listed as much as you like.

  • Thank you, enabling mod_reqtimeout worked for me. I notice this wasn’t in the list of available modules (not even commented out) so I also had to add this line:

    LoadModule reqtimeout_module modules/mod_reqtimeout.so

  • Is there a way to use iptables in front of the webserver to mitigate this?

    • yes, SlowLoris can be mitigated using iptables as follows:

      iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 100 -j DROP

      • I use tomcat module only on my server so I applied this iptables rule.
        But Acunetix Web Vulnerability Scanner still raise ‘SLOW HTTP DOS ATTACK’ alert .
        How should I do?

        • Hi,

          Acunetix detects the Slow HTTP DOS Attack by making less than 100 connections (defined by -connlimit-above in the iptables command). You can try reducing this further, however you risk blocking legitimate requests.

          The iptables command does block a SlowLoris denial of service as it will not allow more than 100 open connections from the same IP address. Play around with the setting to identify the right max number of open connections for your server.

  • I have found this vulnerability on many sites by Acunetix but how to test or how to provide a proof of concept that a server is vulnerable from this Attack..?

  • Leave a Reply

    Your email address will not be published.