Slow app layer DoS attacks can bring your servers down quickly

By | January 12, 2012

Posted in: Network Security Trends

To paraphrase Alice (with apologies to Lewis Carroll and all my high school and college English teachers), denial-of-service attacks are getting “insidiouser and insidiouser.” The latest proof-of-concept “slow” application layer DoS attack is yet another demonstration that attackers don’t need huge botnet armies flooding your networks to hobble your business.

The new attack, crafted by Qualys developer Sergey Shekyan, takes a different tack from other slow DoS attacks, Slowloris and slow HTTP POST, which gum up web servers by slowing requests. Instead,  Shekyan’s attack leverages slow server responses.

What all these techniques have in common is denial of service through legitimate connections to the server, the prime characteristic of the newer, sneakier application layer attacks, which are being launched with alarming frequency against business, public sector and political targets. HTTP GET attacks, for example, overwhelm target servers with a large number of bona fide requests, establishing good connections, exhausting the servers resources.

Application layer attacks are tougher to detect and mitigate than typical network flooding techniques, such as SYN floods, UDP floods, ICMP attacks which seek to overwhelm the network with traffic. These gained notoriety when a wave of distributed denial-of-service (DDoS) attacks brought down a number of high-profile websites in 2000, and have been common since. SYN floods, for example, use large botnets to send thousands of requests to the target server (can be a web app server, a DNS server, etc.) but don’t respond to the server’s SYN-ACK message with a final ACK to acknowledge the server response and complete the communications handshake. In UDP attacks, UDP packets are sent to each of the 65,535 ports on the target system.

Flooding attacks are marked by extremely high traffic volume and can be mitigated by having your ISP ratchet up your bandwidth to accommodate the spikes, and/or a cloud-based anti-DDoS “clean pipe” services, which proxy suspect traffic and scrub it clean of suspect packets. On-premises anti-DDoS appliances can detect and mitigate both network and application layer attacks.

However, application layer attacks generate far less traffic, and are therefore difficult to detect and harder to mitigate. The slow attacks clearly rely less on traffic volume and more on sly techniques.

Shekyan’s attack works by slowly reading the response, setting a receive window size that’s smaller than the target server’s send buffer. Since TCP maintains open connections even if no data is flowing, the attacker can force the server to keep a large number of connections open, eventually achieving denial of service. The attack is engineered by advertising a small receiving window size, so the target server responds in small packet chunks. In his example, a normal request would generate responses in several 1448 byte TCP packets. With the slow response technique, however, the attacker communicates a receive window size of only 28 bytes. The web server responds with an initial 28 bytes and keeps polling the client for adequate receiving space at increasing intervals.

Slowloris sends partial requests to the target server, opening connections, then sending  HTTP headers, augmenting but never completing the request. Slow HTTP POST sends headers to signal how much data is to be sent, but sends the data very slowly, using thousands of HTTP POST connections to DDoS the web server.

The message here is that DDoS, like most malicious security threats, is multidimensional. Be prepared to detect and counter both the more well-known attacks that smack you in the face and the ingenious creations that will slip in and undermine your business before you know what hit you.

You May Also Be Interested In: