Why Would a Cute Little Slow Loris Take Down a Web Server?

Linda Musthaler
By | June 24, 2014

Posted in: Network Security Trends

You've heard of the "infinite monkey theorem," which states that if you put a hundred monkeys in a room with a bunch of keyboards they will eventually type the works of Shakespeare. Is it possible that another little primate, the incredibly cute slow loris, is capable of taking down web servers with a clever type of denial of service (DoS) attack?{C} slowloris Slowloris can be a problem, but I'm not talking about the tiny wide-eyed primates that hang around the trees in southeast Asia.

Slowloris is a computer tool released into the wild in 2009 to prove a point. It was written to demonstrate how a single computer can take down an entire web server by consuming all of the resources of that server. It was intended to show Apache how its servers can be vulnerable to attack because of a design principle. I won't call it a design flaw because the server was intended to work the way that it does for a logical reason. It's just that people have learned that the design can be exploited to take the server down in a DoS attack.

The Slowloris tool performs a DoS attack on various types of Apache and other brand servers by exhausting the available connections. The tool holds the connection open by sending valid but incomplete HTTP requests to the server. Every now and then – just before timeout – it sends a bit more information to the server via that connection, thus continuing to hold it open and also resetting the timeout clock.

Eventually all the connections will be used up and no other server will be able to connect until at least some of the held connections are released.

As an attack tool, Slowloris is distinctly different from others in that this tool is not a TCP DoS; rather, it uses perfectly legitimate HTTP traffic. It makes a full TCP connection and then requires only a few hundred requests at long term and regular intervals. As a result, the tool doesn't need to send a lot of traffic to exhaust the available connections on a server. This makes it possible for hackers with limited traffic resources to successfully mount an attack.

This is precisely what happened in 2009 when people protesting the Iranian presidential election used Slowloris to launch DoS attacks against websites run by that country's government. Rather than launch a DDoS attack that would consume bandwidth that would affect Internet access for a broad group of people, the protestors used Slowloris to narrowly attack specific government websites. The attacks had a high impact but a relatively low bandwidth rate; i.e., no collateral damage on unrelated services.

The web servers that are susceptible to a Slowloris attack use threaded processes and set a limit on the number of threads/processes that can be automatically spawned in order to keep from exhausting the memory on the server. This limit is intended to keep the server from slowing down due to lack of memory on the machine. Also, a connection is held open indefinitely as long as there is some sort of communication every 300 or so seconds. This is intended to serve computers with slow connections and downloads of large files. Slowloris exploits these traits to cause an "all the permitted threads are busy" problem.

There are several ways to try to reduce the impact of such an attack on a vulnerable server. Mitigation methods include increasing the maximum number of clients the web server will allow; limiting the number of connections a single IP address is allowed to make; imposing restrictions on the minimum transfer speed a connection is allowed to have; and restricting the length of time a client is allowed to stay connected. Of course, these techniques can be circumvented rather easily by determined attackers.

The best way to prevent what some have called "death by partial request" is to use a purpose-built anti-DDoS solution that can figure out pretty quickly what's going on with the HTTP traffic and drop it like a hot potato. With that, the only kind of slow loris you have to think about is the cute kind with the wide inquisitive eyes.

You May Also Be Interested In: