Slowloris

from Wikipedia, the free encyclopedia
Slowloris

Slowloris DDOS.png
Basic data

developer Robert "RSnake" Hansen
Publishing year June 17, 2009
Current  version 0.7
(June 17, 2009)
programming language Pearl
ha.ckers.org/slowloris/

Slowloris is software with which a single computer can paralyze a web server with minimal use of network resources . Slowloris specifically attacks the web server, it does not work against other services. The software is authored by Robert "RSnake" Hansen.

Slowloris tries to establish as many connections as possible to the target server and to keep them open as long as possible. This effect is achieved by opening connections and sending partial requests in parallel. From time to time the partial requests are supplemented by further HTTP headers, but the requests are never fully completed. This increases the number of open connections rapidly. Since the number of open connections that a web server can hold simultaneously is limited, legitimate requests from web browsers are rejected - the server is paralyzed.

Affected web servers

Many web servers are susceptible to this type of attack, including Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer .

Countermeasures

There is currently no effective cure for a Slowloris attack, but there are ways to reduce its effects. These include:

  • Increase the maximum number of simultaneous connections to the web server
  • limit the maximum number of connections from one IP address
  • reduce the amount of time a client can remain connected

There are a number of modules especially for the Apache web server that can reduce the damage caused by Slowloris, for example mod_limitipconn, mod_qos , mod_evasive, mod_security, mod_noloris, and mod_antiloris. From version 2.2.15 Apache contains the module mod_reqtimeout, which is proposed by the developers as the official solution.

Other countermeasures include reverse proxies , firewalls , load balancers , layer 3 switches and the use of a web server that is immune to this type of attack.

use

During the 2009 presidential election in Iran, Slowloris was used against the Iranian government's web servers.

Slowloris was preferred to a traditional denial-of-service attack because a traditional attack would have consumed a lot of network resources and thus also harmed the protest movement.

Gerdab.ir, leader.ir and president.ir were affected by the attacks.

Similar programs

Since the release of Slowloris, several other programs have appeared that mimic the function of Slowloris and offer additional functions or run in other environments:

  • PyLoris - a Python implementation that supports Tor and SOCKS proxies.
  • QSlowloris - a binary program that runs under Windows and has a Qt interface.
  • An (unnamed) PHP version that ironically runs on the Apache HTTP server .
  • Slowloris.hx - an implementation in the programming language Haxe

Individual evidence

  1. a b c d Archived copy ( memento of the original from January 8, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / ha.ckers.org
  2. http://serverfault.com/questions/32361
  3. http://bahumbug.wordpress.com/2009/07/01/mod_noloris-defending-against-dos/
  4. https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
  5. http://www.cupfighter.net/index.php/2009/06/slowloris-css/
  6. http://isc.sans.org/diary.html?storyid=6622
  7. Archived copy ( memento of the original dated June 29, 2009 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / iran.whyweprotest.net
  8. Archived copy ( Memento of the original dated August 11, 2009 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / iran.whyweprotest.net
  9. http://samsclass.info/seminars/slowloris.pdf
  10. Archived copy ( memento of the original from July 15, 2009 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / motomastyle.com
  11. http://cyberwar4iran.blogspot.com/
  12. http://seclists.org/fulldisclosure/2009/Jun/0207.html

Web links