Slowloris
Encyclopedia
Slowloris is a piece of software written by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod qos
, mod_evasive, mod_security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.
Other mitigating techniques involve setting up reverse proxies
, firewalls
, load balancers
or content switches. Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd
and nginx
do not succumb to this specific attack.
attacks against sites run by the Iranian government. The belief was that using a DDoS attack would affect internet access for the government and protesters equally, due to the significant bandwidth
they can use. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth. A number of government run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Affected Web Servers
There are a number of web servers that are vulnerable to Slowloris' form of attack. Some of the vulnerable web servers include Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer software.Mitigating the Slowloris attack
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general these involve increasing the maximum number of clients the webserver will allow, limiting the number of connections a single IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod qos
Mod qos
mod_qos is a quality of service module for the Apache HTTP server implementing control mechanisms that can provide different priority to different requests.-Description:...
, mod_evasive, mod_security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.
Other mitigating techniques involve setting up reverse proxies
Reverse proxy
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself...
, firewalls
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
, load balancers
Load balancing (computing)
Load balancing is a computer networking methodology to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives, or other resources, to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid...
or content switches. Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd
Lighttpd
lighttpd is an open-source web server more optimized for speed-critical environments than common products while remaining standards-compliant, secure and flexible...
and nginx
Nginx
nginx is a Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows.- Overview...
do not succumb to this specific attack.
Notable usage
During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoSDOS
DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...
attacks against sites run by the Iranian government. The belief was that using a DDoS attack would affect internet access for the government and protesters equally, due to the significant bandwidth
Bandwidth (computing)
In computer networking and computer science, bandwidth, network bandwidth, data bandwidth, or digital bandwidth is a measure of available or consumed data communication resources expressed in bits/second or multiples of it .Note that in textbooks on wireless communications, modem data transmission,...
they can use. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth. A number of government run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.
Similar software
Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:- PyLoris - A protocol-agnostic python implementation supporting TORTor (anonymity network)Tor is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis...
and SOCKSSOCKSSOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server...
proxies. - QSlowloris - An executable form of Slowloris designed to run on Windows, featuring a QtQt (toolkit)Qt is a cross-platform application framework that is widely used for developing application software with a graphical user interface , and also used for developing non-GUI programs such as command-line tools and consoles for servers...
front end. - An unnamed PHP version which can be run from an HTTP server.
External links
- Slowloris HTTP DoS
- hackaday on Slowloris
- Apache attacked by a "slow loris" article on LWN.netLWN.netLWN.net is a computing webzine with an emphasis on free software and software for Linux and other Unix-like operating systems. It consists of a weekly issue, separate stories which are published most days, and threaded discussion attached to every story. Most news published daily are short...
- Slowloris - a short video (including a demo)