Slow HTTP DoS

A slow HTTP Denial of Service attack (DoS), otherwise referred to as the Slowloris HTTP attack, makes use of HTTP GET requests to occupy all available HTTP connections permitted by a web server. It takes advantage of a vulnerability in thread-based web servers, which wait for entire HTTP headers to be received before releasing the open connection. A variation of this vulnerability is the slow HTTP POST vulnerability. In a slow HTTP POST attack, the attacker declares a large amount of data to be sent in an HTTP POST request and then sends it very slowly.

A malicious user can open many connections to the server by initiating HTTP requests but not closing them. If the attacker keeps every HTTP request open and feeds the server bogus data before the timeout is reached, the HTTP connection will remain open until the attacker closes it. Naturally, if an attacker occupies all available HTTP connections for a web server and keeps them busy waiting, legitimate connections cannot be processed by the server and this causes a denial of service.

This technique lets an attacker consume server resources and restrict access using very little bandwidth. This breed of DoS attack is different from other DoS/DDoS attacks such as SYN flood attacks, which misuse the TCP SYN (synchronization) segment during a TCP three-way handshake.

How it works

An analysis of an HTTP GET request helps further explain how and why a slow HTTP DoS attack is possible. A complete HTTP GET request resembles the following:

GET /index.php HTTP/1.1[CRLF]
Pragma: no-cache[CRLF]
Cache-Control: no-cache[CRLF]
Host: testphp.vulnweb.com[CRLF]
Connection: Keep-alive[CRLF]
Accept-Encoding: gzip,deflate[CRLF]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
  Chrome/28.0.1500.63 Safari/537.36[CRLF]
Accept: */*[CRLF][CRLF]

The CRLF (Carriage Return + Line Feed) is a sequence of non-printable characters that is used to denote the end of a line. Similar to text editors, an HTTP request uses a [CRLF] at the end of a line to start a fresh line and two [CRLF] sequences to denote a blank line. The HTTP protocol defines a blank line as the completion of a header. A slow HTTP DoS attack takes advantage of this by never sending a finishing blank line to complete the HTTP header.

While some thread-based servers such as Apache use a timeout when they wait for incomplete HTTP requests, it is set to 300 seconds by default and reset as soon as the client sends the rest of the data. To make matters worse, a slow HTTP DoS attack is not commonly detected by Intrusion Detection Systems (IDS) because it does not contain any malformed requests. The HTTP request will seem legitimate to the IDS.

Slow HTTP DoS attacks are only effective against thread-based web servers such as Apache, dhttpd, or Microsoft IIS. They are not effective against event-based web servers such as nginx and lighttpd, which are built to handle large numbers of concurrent connections.

Preventing and Mitigating Slow HTTP Attacks in the Apache HTTP Server

A number of techniques exist for preventing and mitigating slow HTTP DoS attacks in the Apache HTTP server. Following are descriptions of three of the most popular and easiest to implement techniques. Of course, other techniques for preventing and mitigating slow HTTP DoS attacks exist, for example involving the use of load balancers and iptables.

Using mod_reqtimeout

The mod_reqtimeout module is included by default in Apache HTTP Server v2.2.15 and up. You can use it to set timeouts for receiving HTTP request headers and the HTTP request body from a client. As a result, if a client fails to send header or body data within the configured time, a 408 REQUEST TIMEOUT error is sent by the server. The following is an example of a configuration that can be used with mod_reqtimeout:

<IfModule mod_reqtimeout.c>  
  RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>

The above configuration gives the client a maximum of 20 seconds to start sending header data. The client must send header data at a transfer rate of 500 bytes per second and may do it for a maximum of 40 seconds. Additionally, the configuration also gives the client a maximum of 20 seconds to start sending body data. The client must send message body data at a transfer rate of 500 bytes per second and may do it for a maximum of 40 seconds.

Using mod_qos

The mod_qos module is a quality of service extension for the Apache HTTP Server. It implements control mechanisms that can assign different priorities to different HTTP requests. The following is an example of how to configure mod_qos to mitigate slow HTTP DoS attacks:

<IfModule mod_qos.c>
  # handle connections from up to 100000 different IPs
  QS_ClientEntries 100000
  # allow only 50 connections per IP
  QS_SrvMaxConnPerIP 50
  # limit the maximum number of active TCP connections to 256
  MaxClients 256
  # disables keep-alive when 180 (70%) TCP connections are occupied
  QS_SrvMaxConnClose 180
  # minimum request/response speed 
  # (deny clients that keep connections open without requesting anything)
  QS_SrvMinDataRate 150 1200
</IfModule>

The above configuration settings track up to 100,000 connections and limit requests to a maximum of 256 connections. In addition, the configuration limits each IP address to a maximum of 50 connections and disables HTTP KeepAlive when 180 connections are used (70% of the connections in this case). Finally, the configuration requires a minimum of 150 bytes per second per connection and limits the connection to 1200 bytes per second when MaxClients is reached.

Using mod_security

The mod_security module is an open-source web application firewall (WAF) that may be used with the Apache HTTP server. It uses rules that can be applied to carry out specific functions. You may use the following rules to mitigate a slow HTTP DoS attack:

SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, 
  setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'1234123456'"
 
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, 
  msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'1234123457'"

The above rules identify when the Apache HTTP server triggers a 408 status code and track how many times this happened. The module keeps the data in IP-based persistent storage so it can be correlated across requests. If this event has happened more than 5 times in 60 seconds, subsequent requests from that IP address will be dropped for a given period of time, in this case: 5 minutes.

Frequently asked questions

Slow HTTP DoS (Slowloris) attacks are denial-of-service attacks against web servers that cause a large number of open connections by keeping HTTP requests open for a long time. Thread-based servers such as Apache and Microsoft IIS are vulnerable to Slowloris but event-based servers such as nginx are not.

Read more about Slowloris attacks.

Every year Acunetix analyzes data from real targets to see how common are different types of vulnerabilities. This year, we found that 7.5% of web servers are still vulnerable to Slowloris attacks.

Read more in our most recent web application vulnerability report.

The Acunetix Web Vulnerability Scanner is capable of identifying slow HTTP vulnerabilities such as CVE-2007-6750 (Slowloris) and a lot of other vulnerabilities, too. Acunetix identifies more vulnerabilities than many other scanners and gives you vulnerability assessment and vulnerability management capabilities as well.

Find out more about Acunetix Premium.

To mitigate slow HTTP DoS vulnerabilities in Apache, you can use several different modules: mod_reqtimeout to set timeouts for receiving HTTP request headers and the HTTP request body from a client, mod_qos to assign different priorities to different HTTP requests, and mod_security to detect attack attempts.

Learn more about hardening your Apache installation.

SHARE THIS POST
THE AUTHOR
Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.