A Slow HTTP Denial of Service (DoS) attack, otherwise referred to as Slowloris HTTP DoS attack, makes use of HTTP GET requests to occupy all available HTTP connections permitted on a web server.
A Slow HTTP DoS Attack takes advantage of a vulnerability in thread-based web servers which wait for entire HTTP headers to be received before releasing the connection. While some thread-based servers such as Apache make use of a timeout to wait for incomplete HTTP requests, the timeout, which is set to 300 seconds by default, is re-set as soon as the client sends additional data.
This creates a situation where a malicious user could open several connections on a server by initiating an HTTP request but does not close it. By keeping the HTTP request open and feeding the server bogus data before the timeout is reached, the HTTP connection will remain open until the attacker closes it. Naturally, if an attacker had to occupy all available HTTP connections on a web server, legitimate users would not be able to have their HTTP requests processed by the server, thus experiencing a denial of service.
This enables an attacker to restrict access to a specific server with very low utilization of bandwidth. This breed of DoS attack is starkly different from other DoS attacks such as SYN flood attacks which misuse the TCP SYN (synchronization) segment during a TCP three-way-handshake.
How it works
An analysis of an HTTP GET request helps further explain how and why a Slow HTTP DoS attack is possible. A complete HTTP GET request resembles the following.
GET /index.php HTTP/1.1[CRLF] Pragma: no-cache[CRLF] Cache-Control: no-cache[CRLF] Host: testphp.vulnweb.com[CRLF] Connection: Keep-alive[CRLF] Accept-Encoding: gzip,deflate[CRLF] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36[CRLF] Accept: */*[CRLF][CRLF]
Something that is of particular interest is the [CRLF] in the GET request above. Carriage Return Line Feed (CRLF), is a non-printable character that is used to denote the end of a line. Similar to text editors, an HTTP request would contain a [CRLF] at the end of a line to start a fresh line and two [CRLF] characters to denote a blank line. The HTTP protocol defines a blank line as the completion of a header. A Slow HTTP DoS takes advantage of this by not sending a finishing blank line to complete the HTTP header.
To make matters worse, a Slow HTTP DoS attack is not commonly detected by Intrusion Detection Systems (IDS) since the attack does not contain any malformed requests. The HTTP request will seem legitimate to the IDS and will pass it onto the web server.
Identifying and Mitigating Slow HTTP DoS Attacks
Slow HTTP DoS attacks are only significantly effective against thread-based web servers such as Apache and dhttpd and not against event-based web servers such as nginx and lighttpd which are built to handle large numbers of simultaneous connections.
Acunetix Web Vulnerability Scanner is capable of identifying Slow HTTP DoS attacks. When running a scan on a website that is vulnerable to a Slow HTTP DoS attack, an alert is raised by Acunetix Web Vulnerability Scanner that looks similar to hereunder.
Preventing and Mitigating Slow HTTP DoS Attacks in Apache HTTP Server
A number of techniques exist for preventing and mitigating slow HTTP DoS attacks in Apache HTTP server. A description of three of the most popular and easiest to implement techniques are listed hereunder. Of course other techniques for preventing and mitigating slow HTTP DoS attacks exist; namely through the use of load balancers and iptables.
Since Apache HTTP Server 2.2.15, mod_reqtimeout is included by default. mod_reqtimeout can be used to set timeouts for receiving the HTTP request headers and the HTTP request body from a client. As a result, if a client fails to send header or body data within the configured time, a 408 REQUEST TIME OUT error is sent by the server.
The following is an example of a configuration that can be used with mod_reqtimeout.
<IfModule mod_reqtimeout.c> RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 </IfModule>
The above configuration allows up to 20 seconds for header data to be sent by a client. Provided that a client sends header data at a rate of 500 bytes per second, the server will allow a maximum 40 seconds for the headers to complete.
Additionally, the configuration will allow for up to 20 seconds for body data to be sent by the client. As long as the client sends header data at a rate of 500 bytes per second, the server will wait for up to 40 seconds for the body of the request to complete.
mod_qos is a quality of service module for the Apache HTTP Server which allows the implementation of control mechanisms that can provide different levels of priority to different HTTP requests.
The following is an example of how to configure mod_qos to mitigate slow HTTP DoS attacks.
<IfModule mod_qos.c> # handle connections from up to 100000 different IPs QS_ClientEntries 100000 # allow only 50 connections per IP QS_SrvMaxConnPerIP 50 # limit maximum number of active TCP connections limited to 256 MaxClients 256 # disables keep-alive when 180 (70%) TCP connections are occupied QS_SrvMaxConnClose 180 # minimum request/response speed (deny slow clients blocking the server, keeping connections open without requesting anything QS_SrvMinDataRate 150 1200 </IfModule>
The above configuration tracks up to 100,000 connections and limits the server to a maximum of 256 connections. In addition, the configuration limits each IP address to a maximum of 50 connections and disables HTTP KeepAlive when 180 connections are used (70% of the connections in this case). Finally, the configuration requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when MaxClients is reached.
mod_security is an open source web application firewall (WAF) that may be used with Apache HTTP server. mod_security makes use of rules that can be applied to carry out specific functions.
The following rules may be used to mitigate a slow HTTP DoS attack.
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'1234123456'" SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'1234123457'"
The above rules identifies when Apache HTTP server triggers a 408 status code and tracks how many times this happened while keeping the data in IP-based persistent storage so it can correlate across requests. If this event has happened more than 5 times in 60 seconds, subsequent requests for that IP address will be dropped by mod_security for a period of 5 minutes.