What is a Slowloris DDoS Attack?

Introduction

Names of DDoS attacks often make them sound benign. In prior blogs we’ve talked about Smurf attacks, Ping attacks, and now we’ll delve into Slowloris attacks, named after a cute Southeast Asian primate. A quick online search of slow loris pulls up dozens of images of a wide-eyed, cuddly, little animal that looks like a cross between a monkey and a koala. But beware: They are also the only primate that packs a poisonous bite that can be fatal.

In this blog, we’ll shed light on the history of this slow and methodical approach to a DDoS attack, and its painful and disruptive impact on websites and organizations. We’ll explore how Slowloris attacks work, while also offering guidance on how to detect and protect against this cyber threat.

How Does a Slowloris Attack Work? 

Slowloris is a DDoS attack that targets the application layer (Layer 7) of the OSI model. The attack can target many types of web server software but has been highly effective against Apache 1.x and 2.x. It uses partial HTTP requests to open connections to a targeted web server, and then leaves the connections open for as long as possible without completing the request. This drains server resources, gradually slowing performance and ultimately overwhelming the target.

Step-by-Step Breakdown

There are four steps to a Slowloris attack.

1. Working through a botnet, the attacker issues command and control instructions to send multiple partial HTTP requests to a targeted server.
2. The targeted server opens a connection for each request. Under normal circumstances, the server will close the thread as soon as the HTTP request is completed or will time out any connection that remains open for an usually long period of time to free up resources for subsequent requests.
3. To prevent the server from closing the connection, the attacker will periodically send additional partial requests. This tricks the web server into keeping the connection open and waiting for the HTTP request to be completed.
4. Eventually, the targeted server will run out of available connections and will no longer be able respond to legitimate connection requests which leads to denial of service.

How is a Slowloris Attack Different from Other DDoS Attacks?

Traditional DDoS attacks overwhelm a server with a massive flood of HTTP requests on an ongoing basis. A spike in consumption of bandwidth is a key indicator of this type of attack. In sharp contrast, Slowloris attacks take a low and slow approach. Instead of tens of thousands of requests, the attacker sends only a few hundred requests at regular intervals. This makes Slowloris attacks more difficult to detect as security teams have to analyze connections and look for anomalous activity including an usual number of connection attempts, length of open connections, incoming HTTP requests, and partial HTTP requests.

The Impact of a Slowloris Attack on Servers

Slowloris attacks are a simple but effective way to take down a web server. The attack can be executed with minimal impact on bandwidth but consume server resources to negatively impact performance.

Resource Depletion

In a nutshell, Slowloris attacks are designed to deplete web server resources by keeping connections open.

Attackers take advantage of the HTTP protocol to split GET and POST HTTP requests into several packets or sessions. The requests appear to be legitimate and are further masked because the attacker uses different botnet IP addresses to launch multiple requests at the same time. To keep the connections open for as long as possible, the attacker will send new requests just before the connection times-out. Eventually, the server hits its capacity for connections and cannot process other requests which causes the server to deny service to legitimate requests. When users can’t reach an organization’s website, reputational and financial losses often follow.

Detection and Prevention of Slowloris Attacks

Slowloris attacks were designed to look like legitimate requests and bypass detection and mitigation tools like intrusion detection systems, which makes this type of DDoS attack more complex to defend against. Additionally, since log files aren’t written until a request is completed, and these requests are never completed, there are no log events that point to evidence that a DDoS attack is happening.

However, there are signs to watch for that can tell you if your organization is being targeted by a Slowloris attack.

• Slow website loading times create delays in responding to legitimate requests.
• Increased server resource usage, particularly with respect to CPU and memory usage, as the web server struggles to manage the large number of open connections.
• Many incomplete connections from various IP addresses in your server logs.
• Anomalous network traffic patterns can reveal an usual increase in simultaneous connections from different IP addresses – particularly if those connections are remaining open.
• Failure to access the website which indicates the Slowloris attack has accomplished its mission and brought down the server.

Identifying a Slowloris Attack

Watching for these signs of a Slowloris attack requires security teams use a combination of best practices and technologies to proactively hunt for indicators that could point to an attack. These methods include:

• Monitoring server logs for unusual patterns, such as an abnormal number of open connections from the same IP address or repeated connections that are never completed.
• Network traffic analysis tools to monitor incoming and outgoing traffic patterns and look for a high number of partial HTTP requests or connections from the same source.
• Connection tracking to identify connections that remain open for an extended period of time without completing requests.

Mitigation Strategies

To mitigate a Slowloris DDoS attack, organizations can use the following techniques.

• Use a reverse proxy, a server that intercepts the request and drops connections that show signs of a Slowloris attack.
• Limit the number of connections from a single IP address using a tool like a web application firewall.
• Reduce the maximum time a connection can be kept open which would reduce the impact of a Slowloris attack by limiting its ability to drain resources.
• Implement rate limiting by setting a threshold of the number of connections and requests to the server through tools such as load balancers, firewalls, and intrusion prevention systems.
• Keep software and systems up to date to address known vulnerabilities that Slowloris attacks can exploit.
• Use a DDoS protection solution that allows you to mitigate DDoS attacks while maintaining access to your website for legitimate users.

The Evolution of Slowloris and Its Relevance Today

Slowloris has been around for more than 15 years and continues to be used by threat actors with various motives to plague organizations through new variants and implementations.

Origins of Slowloris

Slowloris was made public by a security researcher named Robert Hansen, aka “RSnake”. He published a blog post in 2009 along with a Perl script that demonstrated how to perform the attack, and selected the name Slowloris because it embodies the qualities of the attack method and was novel.

No sooner was the information released than reports of the first high-profile Slowloris attack emerged. That same year, Iran accused the U.S. of launching a series of Slowloris attacks against its government websites. The attacks lasted for weeks and caused significant disruption.

Is Slowloris Still a Threat?

Since 2009 there have been other significant Slowloris attacks including a 2011 attack against the CIA website, reportedly by the hacker group LulzSec, that took the site offline for several hours. In 2018, a group of attackers known as MoneyTaker was accused of leveraging Slowloris to launch attacks against several banks in Russia.

Whether for hacktivism, fraud, or to simply cause disruption, Slowloris attacks remain a threat because they are a simple yet effective way to take down a website with minimal resources. The attack has also evolved over the years. New variants have emerged including PyLoris, SlowHTTPTest, OWASP HTTP Post Tool, and others. New features include encryption, proxy support, randomization, and multithreading. Additionally, some variants have been designed to target additional web servers or protocols such as Apache HTTP Server, Internet Information Services (IIS), Secure Sockets Layer (SSL), and HTTPS.

Best Practices for Protecting Your Server

Because Slowloris remains a credible threat to organizations and specifically their face to the public, it’s important to protect web servers against these attacks. The following best practices can help.

Ongoing Security Maintenance

A few relatively simple but important best practices can help prevent servers from being vulnerable to Slowloris attacks.

• Updating server configurations for robust load balancing to distribute traffic across multiple servers, essentially rerouting traffic to servers that aren’t impacted to maintain service for legitimate traffic.
• Applying security patches using a web application firewall or other virtual patching techniques to prevent Slowloris attacks that leverage known vulnerabilities.
• Understanding the baseline for requests and connections and then setting limits to alert when activity attempts to exceed thresholds for what is considered normal.

Implementing Effective DDoS Protection

One of the most effective ways to protect against the gamut of DDoS attacks, including Slowloris attacks, is with DDoS protection. The most advanced solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.

Conclusion

Named after little primate that appears to be cute and cuddly but is also venomous, Slowloris attacks are an inconspicuous and simple way to cause pain to organizations. Slowloris DDoS attacks take a low and slow approach to exhausting web servers. Without the typical tell-tale sign of massive bandwidth consumption, these attacks are more complex to detect and methodically chip away at performance until an organization’s website is taken down.

Signs to watch for include slow website loading times, increased server resource usage, multiple incomplete connections, anomalous network traffic patterns, and an inability to access the website.

Because Slowloris remains a credible threat to organizations and specifically their face to the public, it’s important to protect web servers against these attacks. Best practices include monitoring server logs, updating server configurations, applying security patches, and establishing thresholds and limiting the number of requests and connections.

While Slowloris attacks were designed to evade intrusion prevention systems, technologies that are effective in helping to detect and prevent the risk of these attacks include reverse proxies, web application firewalls, and using an advanced DDoS protection solution.

DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a Slowloris DDoS attackand can also protect you from other types of DDoS attacks and the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on DDoS defense in depth.