Slowloris (computer security): Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
→‎Notable usage: Added content.
Tags: Mobile edit Mobile web edit
Rescuing 21 sources and tagging 0 as dead.) #IABot (v2.0.9.5
 
(27 intermediate revisions by 21 users not shown)
Line 42: Line 42:
* Deny All WAF (patched)<ref>{{cite web |url=http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf |title=Archived copy |accessdate=2013-05-15 |url-status=dead |archiveurl=https://web.archive.org/web/20140201201359/http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf |archivedate=1 February 2014 }}</ref>
* Deny All WAF (patched)<ref>{{cite web |url=http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf |title=Archived copy |accessdate=2013-05-15 |url-status=dead |archiveurl=https://web.archive.org/web/20140201201359/http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf |archivedate=1 February 2014 }}</ref>
* [[Flask (web framework)|Flask]] (development server)
* [[Flask (web framework)|Flask]] (development server)
* Internet Information Services (IIS) 6.0 and earlier <ref>{{cite web |title=Slowloris |url=https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |website=www.powerwaf.com |access-date=17 July 2023 |archive-date=17 July 2023 |archive-url=https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |url-status=live }}</ref>
* Nginx 1.5.9 and earlier <ref>{{cite web |title=Slowloris |url=https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |website=www.powerwaf.com |access-date=17 July 2023 |archive-date=17 July 2023 |archive-url=https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |url-status=live }}</ref>


Vulnerable to Slowloris attack on the TLS handshake process:
Because Slowloris exploits [[C10k problem|problems handling thousands of connections]], the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as [[Varnish (software)|Varnish]], [[nginx]], and [[Squid (software)|Squid]] have been recommended<ref>{{cite web|url=http://serverfault.com/a/32472/129773|title=How to best defend against a "slowloris" DOS attack against an Apache web server?|website=serverfault.com|access-date=2016-12-28}}</ref> to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,<ref>{{cite web|url=https://www.hiawatha-webserver.org/weblog/64|title=Performance testing while under attack|publisher=hiawatha-webserver.org|date=28 February 2014}}</ref> [[Internet Information Services|IIS]], [[lighttpd]], [[Cherokee (web server)|Cherokee]], and [[Cisco Systems|Cisco CSS]].

* Apache HTTP Server 2.2.15 and earlier <ref>{{cite web |title=Slowloris |url=https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |website=www.powerwaf.com |access-date=17 July 2023 |archive-date=17 July 2023 |archive-url=https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |url-status=live }}</ref>
* Internet Information Services (IIS) 7.0 and earlier <ref>{{cite web |title=Slowloris |url=https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |website=www.powerwaf.com |access-date=17 July 2023 |archive-date=17 July 2023 |archive-url=https://web.archive.org/web/20230717161742/https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#known-servers-vulnerable-to-slowloris-attacks |url-status=live }}</ref>

Because Slowloris exploits [[C10k problem|problems handling thousands of connections]], the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as [[Varnish (software)|Varnish]], [[nginx]], and [[Squid (software)|Squid]] have been recommended<ref>{{cite web|url=http://serverfault.com/a/32472/129773|title=How to best defend against a "slowloris" DOS attack against an Apache web server?|website=serverfault.com|access-date=2016-12-28}}</ref> to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,<ref>{{cite web|url=https://www.hiawatha-webserver.org/weblog/64|title=Performance testing while under attack|publisher=hiawatha-webserver.org|date=28 February 2014|access-date=15 March 2014|archive-date=15 March 2014|archive-url=https://web.archive.org/web/20140315023923/https://www.hiawatha-webserver.org/weblog/64|url-status=live}}</ref> [[Internet Information Services|IIS]], [[lighttpd]], [[Cherokee (web server)|Cherokee]], and [[Cisco Systems|Cisco CSS]].
<!--Every bit of this is supported by the ha.ckers.org reference - there's no need to inline the same citation over and over -->
<!--Every bit of this is supported by the ha.ckers.org reference - there's no need to inline the same citation over and over -->


Line 49: Line 56:
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single [[IP address]] is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single [[IP address]] is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.


In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, [[mod_qos]], mod_evasive, [[mod security]], mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.<ref name="ha.ckers.org"/><ref>{{cite web|url=http://bahumbug.wordpress.com/2009/07/01/mod_noloris-defending-against-dos/ |title=mod_noloris: defending against DoS |date=July 2009 |publisher=niq's soapbox |accessdate=7 January 2012}}</ref> Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.<ref>{{cite web|url=https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html |title=mod_reqtimeout - Apache HTTP Server |publisher=Httpd.apache.org |accessdate=2013-07-03}}</ref>
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, [[mod_qos]], mod_evasive, [[mod security]], mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.<ref name="ha.ckers.org"/><ref>{{cite web |url=http://bahumbug.wordpress.com/2009/07/01/mod_noloris-defending-against-dos/ |title=mod_noloris: defending against DoS |date=July 2009 |publisher=niq's soapbox |accessdate=7 January 2012 |archive-date=8 October 2011 |archive-url=https://web.archive.org/web/20111008151654/http://bahumbug.wordpress.com/2009/07/01/mod_noloris-defending-against-dos/ |url-status=live }}</ref> Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.<ref>{{cite web |url=https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html |title=mod_reqtimeout - Apache HTTP Server |publisher=Httpd.apache.org |accessdate=2013-07-03 |archive-date=3 July 2013 |archive-url=https://web.archive.org/web/20130703041319/http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html |url-status=live }}</ref>


Other mitigating techniques involve setting up [[Reverse proxy|reverse proxies]], [[Firewall (computing)|firewalls]], [[Load balancing (computing)|load balancers]] or [[content switch]]es.<ref>{{cite web|last=Breedijk |first=Frank |url=http://www.cupfighter.net/index.php/2009/06/slowloris-css/ |title=Slowloris and Nkiller2 vs. the Cisco CSS load balancer |publisher=Cupfighter.net |date=22 June 2009 |archive-url=https://web.archive.org/web/20120215200011/http://www.cupfighter.net/index.php/2009/06/slowloris-css/ |accessdate=7 January 2012|archive-date=15 February 2012 }}</ref> Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, [[lighttpd]] and [[nginx]] do not succumb to this specific attack.<ref name="ha.ckers.org"/>
Other mitigating techniques involve setting up [[Reverse proxy|reverse proxies]], [[Firewall (computing)|firewalls]], [[Load balancing (computing)|load balancers]] or [[content switch]]es.<ref>{{cite web|last=Breedijk |first=Frank |url=http://www.cupfighter.net/index.php/2009/06/slowloris-css/ |title=Slowloris and Nkiller2 vs. the Cisco CSS load balancer |publisher=Cupfighter.net |date=22 June 2009 |archive-url=https://web.archive.org/web/20120215200011/http://www.cupfighter.net/index.php/2009/06/slowloris-css/ |accessdate=7 January 2012|archive-date=15 February 2012 }}</ref> Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, [[lighttpd]] and [[nginx]] do not succumb to this specific attack.<ref name="ha.ckers.org"/>
Line 55: Line 62:
==Notable usage==
==Notable usage==
{{Expand section|date=December 2009}}
{{Expand section|date=December 2009}}
During the protests that erupted in the wake of the [[2009 Iranian presidential election]], Slowloris arose as a prominent tool used to leverage [[DoS]] attacks against sites run by the Iranian government.<ref>{{cite web|last=Zdrnja |first=Bojan |url=https://isc.sans.edu/forums/diary/Slowloris+and+Iranian+DDoS+attacks/6622 |title=ISC Diary &#124; Slowloris and Iranian DDoS attacks |publisher=Isc.sans.org |date=23 June 2009 |accessdate=7 January 2012}}</ref> The belief was that flooding [[DDoS]] attacks would affect internet access for the government and protesters equally, due to the significant [[Bandwidth (computing)|bandwidth]] they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.<ref>[http://iran.whyweprotest.net/general-discussion/2156-list-anti-protester-sites-2.html] {{webarchive |url=https://web.archive.org/web/20090629152805/http://iran.whyweprotest.net/general-discussion/2156-list-anti-protester-sites-2.html |date=29 June 2009 }}</ref> A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.<ref>[http://iran.whyweprotest.net/help-iran-online/6194-condensed-list-sites-w-pictures-part-1-a.html] {{webarchive |url=https://web.archive.org/web/20090811013813/http://iran.whyweprotest.net/help-iran-online/6194-condensed-list-sites-w-pictures-part-1-a.html |date=11 August 2009 }}</ref>
During the protests that erupted in the wake of the [[2009 Iranian presidential election]], Slowloris arose as a prominent tool used to leverage [[DoS]] attacks against sites run by the Iranian government.<ref>{{cite web |last=Zdrnja |first=Bojan |url=https://isc.sans.edu/forums/diary/Slowloris+and+Iranian+DDoS+attacks/6622 |title=ISC Diary &#124; Slowloris and Iranian DDoS attacks |publisher=Isc.sans.org |date=23 June 2009 |accessdate=7 January 2012 |archive-date=12 November 2021 |archive-url=https://web.archive.org/web/20211112125751/https://isc.sans.edu/forums/diary/Slowloris+and+Iranian+DDoS+attacks/6622 |url-status=live }}</ref> The belief was that flooding [[DDoS]] attacks would affect internet access for the government and protesters equally, due to the significant [[Bandwidth (computing)|bandwidth]] they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.<ref>[http://iran.whyweprotest.net/general-discussion/2156-list-anti-protester-sites-2.html] {{webarchive|url=https://web.archive.org/web/20090629152805/http://iran.whyweprotest.net/general-discussion/2156-list-anti-protester-sites-2.html|date=29 June 2009}}</ref> A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.<ref>[http://iran.whyweprotest.net/help-iran-online/6194-condensed-list-sites-w-pictures-part-1-a.html] {{webarchive|url=https://web.archive.org/web/20090811013813/http://iran.whyweprotest.net/help-iran-online/6194-condensed-list-sites-w-pictures-part-1-a.html|date=11 August 2009}}</ref>


A variant of this attack was used by [[Email spam|spam]] network [[River City Media]] to force [[Gmail]] servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail [[API]] with message sending requests, then completing them all at once.<ref>{{Cite web| last = Vickery| first = Chris| title = Spammergate: The Fall of an Empire| work = MacKeeper Security Watch| date = 2017-03-06| url = https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire| archive-url = https://web.archive.org/web/20170306152831/https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire| url-status = dead| archive-date = 2017-03-06}}</ref>
A variant of this attack was used by [[Email spam|spam]] network [[River City Media]] to force [[Gmail]] servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail [[API]] with message sending requests, then completing them all at once.<ref>{{Cite web| last = Vickery| first = Chris| title = Spammergate: The Fall of an Empire| work = MacKeeper Security Watch| date = 2017-03-06| url = https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire| archive-url = https://web.archive.org/web/20170306152831/https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire| url-status = dead| archive-date = 2017-03-06}}</ref>

The program was also used on October 21st, 2022 by an unknown web user referred to by the handle “Neon Demon”, shutting down website servers of well known Russian company Gazprom’s websites Gazprom.com and Gazprom.ru for over a day, starting at around 4:30 CST. Servers were offline for more than 24 hours.


==Similar software==
==Similar software==
Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:<ref>{{cite web|title=Slowloris|url=http://samsclass.info/seminars/slowloris.pdf|publisher=SecTheory|accessdate=7 January 2012|author=Robert "RSnake" Hansen}}</ref>
Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:<ref>{{cite web|title=Slowloris|url=http://samsclass.info/seminars/slowloris.pdf|publisher=SecTheory|accessdate=7 January 2012|author=Robert "RSnake" Hansen|archive-date=19 January 2012|archive-url=https://web.archive.org/web/20120119135533/http://samsclass.info/seminars/slowloris.pdf|url-status=live}}</ref>
* PyLoris – A protocol-agnostic Python implementation supporting [[Tor (anonymity network)|Tor]] and SOCKS proxies.<ref>{{cite web |url=http://motomastyle.com/pyloris/ |archive-url=https://web.archive.org/web/20090715100428/http://motomastyle.com/pyloris/ |url-status=dead |archive-date=15 July 2009 |title=PyLoris |publisher=MotomaSTYLE |date=19 June 2009 |accessdate=7 January 2012 }}</ref>
* PyLoris – A protocol-agnostic Python implementation supporting [[Tor (anonymity network)|Tor]] and SOCKS proxies.<ref>{{cite web |url=http://motomastyle.com/pyloris/ |archive-url=https://web.archive.org/web/20090715100428/http://motomastyle.com/pyloris/ |url-status=dead |archive-date=15 July 2009 |title=PyLoris |publisher=MotomaSTYLE |date=19 June 2009 |accessdate=7 January 2012 }}</ref>
* Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.<ref>{{cite web|url=https://github.com/gkbrk/slowloris|title=Slowloris rewrite in Python|website=[[GitHub]]|accessdate=10 May 2017}}</ref>
* Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.<ref>{{cite web|url=https://github.com/gkbrk/slowloris|title=Slowloris rewrite in Python|website=[[GitHub]]|accessdate=10 May 2017|archive-date=16 July 2019|archive-url=https://web.archive.org/web/20190716180132/https://github.com/gkbrk/slowloris|url-status=live}}</ref>
* Goloris – Slowloris for nginx, written in Go.<ref>{{cite web|url=https://github.com/valyala/goloris|title=Slowloris for nginx DoS|author=valyala|website=[[GitHub]]|accessdate=4 February 2014}}</ref>
* Goloris – Slowloris for nginx, written in Go.<ref>{{cite web|url=https://github.com/valyala/goloris|title=Slowloris for nginx DoS|author=valyala|website=[[GitHub]]|accessdate=4 February 2014|archive-date=28 January 2016|archive-url=https://web.archive.org/web/20160128115830/https://github.com/valyala/goloris|url-status=live}}</ref>
* slowloris - Distributed Golang implementation<ref>{{Citation |last=Tsankov |first=Ivaylo |title=slowloris - Golang distributed Slowloris attack |date=2022-04-22 |url=https://github.com/itsankoff/slowloris |access-date=2022-04-24}}</ref>
* slowloris - Distributed Golang implementation<ref>{{Citation |last=Tsankov |first=Ivaylo |title=slowloris - Golang distributed Slowloris attack |date=2022-04-22 |url=https://github.com/itsankoff/slowloris |access-date=2022-04-24 |archive-date=24 April 2022 |archive-url=https://web.archive.org/web/20220424211540/https://github.com/itsankoff/slowloris |url-status=live }}</ref>
* QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a [[Qt (toolkit)|Qt]] [[front end processor (program)|front end]].<ref>{{cite web|title=How to help take down gerdab.ir in 5 easy steps|url=http://cyberwar4iran.blogspot.com/|publisher=cyberwar4iran|accessdate=7 January 2012|date=28 June 2009}}</ref>
* QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a [[Qt (toolkit)|Qt]] [[front end processor (program)|front end]].<ref>{{cite web|title=How to help take down gerdab.ir in 5 easy steps|url=http://cyberwar4iran.blogspot.com/|publisher=cyberwar4iran|accessdate=7 January 2012|date=28 June 2009|archive-date=8 July 2011|archive-url=https://web.archive.org/web/20110708032219/http://cyberwar4iran.blogspot.com/|url-status=live}}</ref>
* An unnamed PHP version which can be run from a HTTP server.<ref>{{cite web|url=http://seclists.org/fulldisclosure/2009/Jun/0207.html |title=Full Disclosure: apache and squid dos |publisher=Seclists.org |date=19 June 2009 |accessdate=7 January 2012}}</ref>
* An unnamed PHP version which can be run from a HTTP server.<ref>{{cite web |url=http://seclists.org/fulldisclosure/2009/Jun/0207.html |title=Full Disclosure: apache and squid dos |publisher=Seclists.org |date=19 June 2009 |accessdate=7 January 2012 |archive-date=27 June 2009 |archive-url=https://web.archive.org/web/20090627092145/http://seclists.org/fulldisclosure/2009/Jun/0207.html |url-status=live }}</ref>
* SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.<ref>{{cite web|url=https://community.qualys.com/blogs/securitylabs/2011/09/19/testing-web-servers-for-slow-http-attacks |title=Testing Web Servers for Slow HTTP Attacks |publisher=qualys.com |date=19 September 2011 |accessdate=13 January 2012}}</ref><ref>{{cite web|url=https://github.com/shekyan/slowhttptest/ |title=shekyan/slowhttptest: Application Layer DoS attack simulator |publisher=GitHub |accessdate=2017-04-19}}</ref>
* SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.<ref>{{cite web |url=https://community.qualys.com/blogs/securitylabs/2011/09/19/testing-web-servers-for-slow-http-attacks |title=Testing Web Servers for Slow HTTP Attacks |publisher=qualys.com |date=19 September 2011 |accessdate=13 January 2012 |archive-date=2 January 2014 |archive-url=https://web.archive.org/web/20140102191906/https://community.qualys.com/blogs/securitylabs/2011/09/19/testing-web-servers-for-slow-http-attacks |url-status=live }}</ref><ref>{{cite web |url=https://github.com/shekyan/slowhttptest/ |title=shekyan/slowhttptest: Application Layer DoS attack simulator |publisher=GitHub |accessdate=2017-04-19 |archive-date=19 July 2016 |archive-url=https://web.archive.org/web/20160719171244/https://github.com/shekyan/slowhttptest |url-status=live }}</ref>
* SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.<ref>{{cite web|url=https://github.com/felmoltor/SlowlorisChecker |title=Simple script to check if some server could be affected by Slowloris attack |publisher=github.com/felmoltor |date=31 December 2012 |accessdate=31 December 2012}}</ref>
* SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.<ref>{{cite web |url=https://github.com/felmoltor/SlowlorisChecker |title=Simple script to check if some server could be affected by Slowloris attack |publisher=github.com/felmoltor |date=31 December 2012 |accessdate=31 December 2012 |archive-date=28 January 2016 |archive-url=https://web.archive.org/web/20160128115830/https://github.com/felmoltor/SlowlorisChecker |url-status=live }}</ref>
* Cyphon - Slowloris for Mac OS X, written in Objective-C.<ref>{{cite web|url=https://github.com/abila5h/Cyphon-DoS|title=Slowloris for OSX|author=abilash|website=[[GitHub]]|accessdate=8 April 2017}}</ref>
* Cyphon - Slowloris for Mac OS X, written in Objective-C.<ref>{{cite web|url=https://github.com/abila5h/Cyphon-DoS|title=Slowloris for OSX|author=abilash|website=[[GitHub]]|accessdate=8 April 2017|archive-date=17 August 2020|archive-url=https://web.archive.org/web/20200817134457/https://github.com/abila5h/Cyphon-DoS|url-status=live}}</ref>
* sloww - Slowloris implementation written in Node.js.<ref>{{Citation|last=Davis|first=Ethan|title=sloww: Lightweight Slowloris attack CLI in Node|date=2018-02-17|url=https://github.com/ethanent/sloww|accessdate=2018-02-18}}</ref>
* sloww - Slowloris implementation written in Node.js.<ref>{{Citation|last=Davis|first=Ethan|title=sloww: Lightweight Slowloris attack CLI in Node|date=2018-02-17|url=https://github.com/ethanent/sloww|accessdate=2018-02-18|archive-date=9 November 2020|archive-url=https://web.archive.org/web/20201109040515/https://github.com/ethanent/sloww|url-status=live}}</ref>
* dotloris - Slowloris written in .NET Core<ref>{{cite web|url=https://github.com/bass3l/dotloris|title=Slowloris written in .Net core|author=Bassel Shmali|website=[[GitHub]]|date=28 November 2021}}</ref>
* dotloris - Slowloris written in .NET Core<ref>{{cite web|url=https://github.com/bass3l/dotloris|title=Slowloris written in .Net core|author=Bassel Shmali|website=[[GitHub]]|date=28 November 2021|access-date=31 March 2018|archive-date=17 June 2018|archive-url=https://web.archive.org/web/20180617163448/https://github.com/bass3l/dotloris|url-status=live}}</ref>
* [[Slowdroid|SlowDroid]] - An enhanced version of Slowloris written in Java, reducing at minimum the attack bandwidth<ref name="turningpaper">{{cite journal|last1=Cambiaso|first1=Enrico|last2=Papaleo|first2=Gianluca|last3=Aiello|first3=Maurizio|title=SlowDroid: Turning a Smartphone into a Mobile Attack Vector|journal=International Conference on Future Internet of Things and Cloud|date=2014|pages=405–410|doi=10.1109/FiCloud.2014.72|isbn=978-1-4799-4357-9|s2cid=14792419|url=https://zenodo.org/record/896552}}</ref>
* [[Slowdroid|SlowDroid]] - An enhanced version of Slowloris written in Java, reducing at minimum the attack bandwidth<ref name="turningpaper">{{cite book|last1=Cambiaso|first1=Enrico|last2=Papaleo|first2=Gianluca|last3=Aiello|first3=Maurizio|title=2014 International Conference on Future Internet of Things and Cloud|chapter=SlowDroid: Turning a Smartphone into a Mobile Attack Vector|date=2014|pages=405–410|doi=10.1109/FiCloud.2014.72|isbn=978-1-4799-4357-9|s2cid=14792419|chapter-url=https://zenodo.org/record/896552|access-date=2 March 2022|archive-date=2 March 2022|archive-url=https://web.archive.org/web/20220302150652/https://zenodo.org/record/896552|url-status=live}}</ref>


==See also==
==See also==

Latest revision as of 04:03, 20 April 2024

Slowloris
Initial release17 June 2009
Stable release
0.7
Written inPerl
PlatformCross-platform
Size36 kb
TypeHacking tool
Websiteha.ckers.org/slowloris/

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.[1]

The program was named after slow lorises, a group of primates which are known for their slow movement.

Affected web servers[edit]

This includes but is not necessarily limited to the following, per the attack's author:[1]

  • Apache 1.x and 2.x
  • dhttpd
  • Websense "block pages" (unconfirmed)
  • Trapeze Wireless Web Portal (unconfirmed)
  • Verizon's MI424-WR FIOS Cable modem (unconfirmed)
  • Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed)
  • BeeWare WAF (unconfirmed)
  • Deny All WAF (patched)[2]
  • Flask (development server)
  • Internet Information Services (IIS) 6.0 and earlier [3]
  • Nginx 1.5.9 and earlier [4]

Vulnerable to Slowloris attack on the TLS handshake process:

  • Apache HTTP Server 2.2.15 and earlier [5]
  • Internet Information Services (IIS) 7.0 and earlier [6]

Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as Varnish, nginx, and Squid have been recommended[7] to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,[8]IIS, lighttpd, Cherokee, and Cisco CSS.

Mitigating the Slowloris attack[edit]

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.

In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.[1][9] Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.[10]

Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.[11] Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.[1]

Notable usage[edit]

During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government.[12] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.[13] A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.[14]

A variant of this attack was used by spam network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once.[15]

Similar software[edit]

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:[16]

  • PyLoris – A protocol-agnostic Python implementation supporting Tor and SOCKS proxies.[17]
  • Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.[18]
  • Goloris – Slowloris for nginx, written in Go.[19]
  • slowloris - Distributed Golang implementation[20]
  • QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a Qt front end.[21]
  • An unnamed PHP version which can be run from a HTTP server.[22]
  • SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.[23][24]
  • SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.[25]
  • Cyphon - Slowloris for Mac OS X, written in Objective-C.[26]
  • sloww - Slowloris implementation written in Node.js.[27]
  • dotloris - Slowloris written in .NET Core[28]
  • SlowDroid - An enhanced version of Slowloris written in Java, reducing at minimum the attack bandwidth[29]

See also[edit]

References[edit]

  1. ^ a b c d "Slowloris HTTP DoS". Archived from the original on 26 April 2015. Retrieved 26 June 2009.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  2. ^ "Archived copy" (PDF). Archived from the original (PDF) on 1 February 2014. Retrieved 15 May 2013.{{cite web}}: CS1 maint: archived copy as title (link)
  3. ^ "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  4. ^ "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  5. ^ "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  6. ^ "Slowloris". www.powerwaf.com. Archived from the original on 17 July 2023. Retrieved 17 July 2023.
  7. ^ "How to best defend against a "slowloris" DOS attack against an Apache web server?". serverfault.com. Retrieved 28 December 2016.
  8. ^ "Performance testing while under attack". hiawatha-webserver.org. 28 February 2014. Archived from the original on 15 March 2014. Retrieved 15 March 2014.
  9. ^ "mod_noloris: defending against DoS". niq's soapbox. July 2009. Archived from the original on 8 October 2011. Retrieved 7 January 2012.
  10. ^ "mod_reqtimeout - Apache HTTP Server". Httpd.apache.org. Archived from the original on 3 July 2013. Retrieved 3 July 2013.
  11. ^ Breedijk, Frank (22 June 2009). "Slowloris and Nkiller2 vs. the Cisco CSS load balancer". Cupfighter.net. Archived from the original on 15 February 2012. Retrieved 7 January 2012.
  12. ^ Zdrnja, Bojan (23 June 2009). "ISC Diary | Slowloris and Iranian DDoS attacks". Isc.sans.org. Archived from the original on 12 November 2021. Retrieved 7 January 2012.
  13. ^ [1] Archived 29 June 2009 at the Wayback Machine
  14. ^ [2] Archived 11 August 2009 at the Wayback Machine
  15. ^ Vickery, Chris (6 March 2017). "Spammergate: The Fall of an Empire". MacKeeper Security Watch. Archived from the original on 6 March 2017.
  16. ^ Robert "RSnake" Hansen. "Slowloris" (PDF). SecTheory. Archived (PDF) from the original on 19 January 2012. Retrieved 7 January 2012.
  17. ^ "PyLoris". MotomaSTYLE. 19 June 2009. Archived from the original on 15 July 2009. Retrieved 7 January 2012.
  18. ^ "Slowloris rewrite in Python". GitHub. Archived from the original on 16 July 2019. Retrieved 10 May 2017.
  19. ^ valyala. "Slowloris for nginx DoS". GitHub. Archived from the original on 28 January 2016. Retrieved 4 February 2014.
  20. ^ Tsankov, Ivaylo (22 April 2022), slowloris - Golang distributed Slowloris attack, archived from the original on 24 April 2022, retrieved 24 April 2022
  21. ^ "How to help take down gerdab.ir in 5 easy steps". cyberwar4iran. 28 June 2009. Archived from the original on 8 July 2011. Retrieved 7 January 2012.
  22. ^ "Full Disclosure: apache and squid dos". Seclists.org. 19 June 2009. Archived from the original on 27 June 2009. Retrieved 7 January 2012.
  23. ^ "Testing Web Servers for Slow HTTP Attacks". qualys.com. 19 September 2011. Archived from the original on 2 January 2014. Retrieved 13 January 2012.
  24. ^ "shekyan/slowhttptest: Application Layer DoS attack simulator". GitHub. Archived from the original on 19 July 2016. Retrieved 19 April 2017.
  25. ^ "Simple script to check if some server could be affected by Slowloris attack". github.com/felmoltor. 31 December 2012. Archived from the original on 28 January 2016. Retrieved 31 December 2012.
  26. ^ abilash. "Slowloris for OSX". GitHub. Archived from the original on 17 August 2020. Retrieved 8 April 2017.
  27. ^ Davis, Ethan (17 February 2018), sloww: Lightweight Slowloris attack CLI in Node, archived from the original on 9 November 2020, retrieved 18 February 2018
  28. ^ Bassel Shmali (28 November 2021). "Slowloris written in .Net core". GitHub. Archived from the original on 17 June 2018. Retrieved 31 March 2018.
  29. ^ Cambiaso, Enrico; Papaleo, Gianluca; Aiello, Maurizio (2014). "SlowDroid: Turning a Smartphone into a Mobile Attack Vector". 2014 International Conference on Future Internet of Things and Cloud. pp. 405–410. doi:10.1109/FiCloud.2014.72. ISBN 978-1-4799-4357-9. S2CID 14792419. Archived from the original on 2 March 2022. Retrieved 2 March 2022.

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Slowloris_(computer_security)&oldid=1219837537"