Mitigate Slow HTTP GET/POST Vulnerabilities in the Apache HTTP Server

Slow HTTP DoS

A slow HTTP Denial of Service attack (DoS), otherwise referred to as the Slowloris HTTP attack, makes use of HTTP GET requests to occupy all available HTTP connections permitted by a web server. It takes advantage of a vulnerability in thread-based web servers, which wait for entire HTTP headers to be received before releasing the open connection. A variation of this vulnerability is the slow HTTP POST vulnerability. In a slow HTTP POST attack, the attacker declares a large amount of data to be sent in an HTTP POST request and then sends it very slowly.

A malicious user can open many connections to the server by initiating HTTP requests but not closing them. If the attacker keeps every HTTP request open and feeds the server bogus data before the timeout is reached, the HTTP connection will remain open until the attacker closes it. Naturally, if an attacker occupies all available HTTP connections for a web server and keeps them busy waiting, legitimate connections cannot be processed by the server and this causes a denial of service.

This technique lets an attacker consume server resources and restrict access using very little bandwidth. This breed of DoS attack is different from other DoS/DDoS attacks such as SYN flood attacks, which misuse the TCP SYN (synchronization) segment during a TCP three-way handshake.

How it works

An analysis of an HTTP GET request helps further explain how and why a slow HTTP DoS attack is possible. A complete HTTP GET request resembles the following:

GET /index.php HTTP/1.1[CRLF]
Pragma: no-cache[CRLF]
Cache-Control: no-cache[CRLF]
Host: testphp.vulnweb.com[CRLF]
Connection: Keep-alive[CRLF]
Accept-Encoding: gzip,deflate[CRLF]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
  Chrome/28.0.1500.63 Safari/537.36[CRLF]
Accept: */*[CRLF][CRLF]

The CRLF (Carriage Return + Line Feed) is a sequence of non-printable characters that is used to denote the end of a line. Similar to text editors, an HTTP request uses a [CRLF] at the end of a line to start a fresh line and two [CRLF] sequences to denote a blank line. The HTTP protocol defines a blank line as the completion of a header. A slow HTTP DoS attack takes advantage of this by never sending a finishing blank line to complete the HTTP header.

While some thread-based servers such as Apache use a timeout when they wait for incomplete HTTP requests, it is set to 300 seconds by default and reset as soon as the client sends the rest of the data. To make matters worse, a slow HTTP DoS attack is not commonly detected by Intrusion Detection Systems (IDS) because it does not contain any malformed requests. The HTTP request will seem legitimate to the IDS.

Identifying and Mitigating Slow HTTP Attacks

Slow HTTP DoS attacks are only effective against thread-based web servers such as Apache, dhttpd, or Microsoft IIS. They are not effective against event-based web servers such as nginx and lighttpd, which are built to handle large numbers of concurrent connections.

The Acunetix Web Vulnerability Scanner is capable of identifying slow HTTP vulnerabilities such as CVE-2007-6750. When running a scan on a website that is vulnerable to a slow HTTP DoS attack, an alert is raised that looks similar to the following one:

Slow HTTP Denial of Service Attack Alert

Preventing and Mitigating Slow HTTP Attacks in the Apache HTTP Server

A number of techniques exist for preventing and mitigating slow HTTP DoS attacks in the Apache HTTP server. Following are descriptions of three of the most popular and easiest to implement techniques. Of course, other techniques for preventing and mitigating slow HTTP DoS attacks exist, for example involving the use of load balancers and iptables.

Using mod_reqtimeout

The mod_reqtimeout module is included by default in Apache HTTP Server v2.2.15 and up. You can use it to set timeouts for receiving HTTP request headers and the HTTP request body from a client. As a result, if a client fails to send header or body data within the configured time, a 408 REQUEST TIMEOUT error is sent by the server. The following is an example of a configuration that can be used with mod_reqtimeout:

<IfModule mod_reqtimeout.c>  
  RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>

The above configuration gives the client a maximum of 20 seconds to start sending header data. The client must send header data at a transfer rate of 500 bytes per second and may do it for a maximum of 40 seconds. Additionally, the configuration also gives the client a maximum of 20 seconds to start sending body data. The client must send message body data at a transfer rate of 500 bytes per second and may do it for a maximum of 40 seconds.

Using mod_qos

The mod_qos module is a quality of service extension for the Apache HTTP Server. It implements control mechanisms that can assign different priorities to different HTTP requests. The following is an example of how to configure mod_qos to mitigate slow HTTP DoS attacks:

<IfModule mod_qos.c>
  # handle connections from up to 100000 different IPs
  QS_ClientEntries 100000
  # allow only 50 connections per IP
  QS_SrvMaxConnPerIP 50
  # limit the maximum number of active TCP connections to 256
  MaxClients 256
  # disables keep-alive when 180 (70%) TCP connections are occupied
  QS_SrvMaxConnClose 180
  # minimum request/response speed 
  # (deny clients that keep connections open without requesting anything)
  QS_SrvMinDataRate 150 1200
</IfModule>

The above configuration settings track up to 100,000 connections and limit requests to a maximum of 256 connections. In addition, the configuration limits each IP address to a maximum of 50 connections and disables HTTP KeepAlive when 180 connections are used (70% of the connections in this case). Finally, the configuration requires a minimum of 150 bytes per second per connection and limits the connection to 1200 bytes per second when MaxClients is reached.

Using mod_security

The mod_security module is an open-source web application firewall (WAF) that may be used with the Apache HTTP server. It uses rules that can be applied to carry out specific functions. You may use the following rules to mitigate a slow HTTP DoS attack:

SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, 
  setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'1234123456'"
 
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, 
  msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'1234123457'"

The above rules identify when the Apache HTTP server triggers a 408 status code and track how many times this happened. The module keeps the data in IP-based persistent storage so it can be correlated across requests. If this event has happened more than 5 times in 60 seconds, subsequent requests from that IP address will be dropped for a given period of time, in this case: 5 minutes.

Share this post
Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

  • I’d like to ask a question about your mod_security rules for mitigating Slow HTTP DoS attacks.

    In your description of the 4th and 5th lines in the mod_security rules, you say “subsequent requests for that IP address will be dropped by mod_security for a period of 5 minutes.” Is this period of “5 minutes” default one of the “drop” action? Can I change the period? If I can change it, I’d like the way to change it.

    Best Regards,
    Takeshi Okamoto


    • @Takeshi Okamoto:

      If you haven’t figured out your answer yet I think this might help. The ‘drop’ action does not drop for a set amount of time, it terminates the connection by sending a FIN packet. So the second rule shown above says if the variable IP:SLOW_DOS_COUNTER is greater than 5 drop the connection and log it with that message. The ‘expirevar’ variable will expire the given variable in the set amount of time in seconds. In this case the IP:SLOW_DOS_COUNTER variable will expire after 60 seconds. So according to the first rule a 408 response status must happen at least 6 times for the connection to be dropped. Assuming that this pattern continues of at least six 408 responses every 60 seconds then the connection will continue to be dropped. I may be wrong about this but I believe the author is mistaken that subsequent request will be dropped for 5 minutes. To me the two rules just say if more then five 408 responses happen in 60 seconds then drop the connection and after 60 seconds expire the variable. Here is a link to ModSecurity docs for the definition on everything: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual. You can change these rules he listed as much as you like.


  • Thank you, enabling mod_reqtimeout worked for me. I notice this wasn’t in the list of available modules (not even commented out) so I also had to add this line:

    LoadModule reqtimeout_module modules/mod_reqtimeout.so


  • Is there a way to use iptables in front of the webserver to mitigate this?


    • yes, SlowLoris can be mitigated using iptables as follows:

      iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 100 -j DROP


      • I use tomcat module only on my server so I applied this iptables rule.
        But Acunetix Web Vulnerability Scanner still raise ‘SLOW HTTP DOS ATTACK’ alert .
        How should I do?


        • Hi,

          Acunetix detects the Slow HTTP DOS Attack by making less than 100 connections (defined by -connlimit-above in the iptables command). You can try reducing this further, however you risk blocking legitimate requests.

          The iptables command does block a SlowLoris denial of service as it will not allow more than 100 open connections from the same IP address. Play around with the setting to identify the right max number of open connections for your server.


  • I have found this vulnerability on many sites by Acunetix but how to test or how to provide a proof of concept that a server is vulnerable from this Attack..?

  • Comments are closed.