Slowloris (computer security)

Slowloris
	Slowloris running on Command Prompt
Initial release	17 June 2009
Stable release	0.7
Written in	Perl
Platform	Cross-platform
Size	36 kb
Type	Hacking tool
Website	ha.ckers.org/slowloris/

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.^[1]

The program was named after slow lorises, a group of primates which are known for their slow movement.

Affected web servers

This includes but is not necessarily limited to the following, per the attack's author:^[1]

Apache 1.x and 2.x
dhttpd
Websense "block pages" (unconfirmed)
Trapeze Wireless Web Portal (unconfirmed)
Verizon's MI424-WR FIOS Cable modem (unconfirmed)
Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed)
BeeWare WAF (unconfirmed)
Deny All WAF (patched)^[2]
Flask (development server)

Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as Varnish, nginx, and Squid have been recommended^[3] to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,^[4]IIS, lighttpd, Cherokee, and Cisco CSS.

Mitigating the Momin ghani attack

MOMIN GHANI IS INVICBALE AND HAS ERECTILE DYSFUNCTION

Notable usage

During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government.^[5] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.^[6] A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir .^[7]

A variant of this attack was used by spam network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once.^[8]

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:^[9]

PyLoris – A protocol-agnostic Python implementation supporting Tor and SOCKS proxies.^[10]
Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.^[11]
Goloris – Slowloris for nginx, written in Go.^[12]
QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a Qt front end.^[13]
An unnamed PHP version which can be run from a HTTP server.^[14]
SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.^[15]^[16]
SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.^[17]
Cyphon - Slowloris for Mac OS X, written in Objective-C.^[18]
sloww - Slowloris implementation written in Node.js.^[19]
dotloris - Slowloris written in .NET Core^[20]

References

^ ^a ^b "Slowloris HTTP DoS". Archived from the original on 26 April 2015. Retrieved 26 June 2009.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
^ "Archived copy" (PDF). Archived from the original (PDF) on 1 February 2014. Retrieved 15 May 2013.{{cite web}}: CS1 maint: archived copy as title (link)
^ "How to best defend against a "slowloris" DOS attack against an Apache web server?". serverfault.com. Retrieved 28 December 2016.
^ "Performance testing while under attack". hiawatha-webserver.org. 28 February 2014.
^ Zdrnja, Bojan (23 June 2009). "ISC Diary | Slowloris and Iranian DDoS attacks". Isc.sans.org. Retrieved 7 January 2012.
^ [1] Archived 29 June 2009 at the Wayback Machine
^ [2] Archived 11 August 2009 at the Wayback Machine
^ Vickery, Chris (6 March 2017). "Spammergate: The Fall of an Empire". MacKeeper Security Watch. Archived from the original on 6 March 2017.
^ Robert "RSnake" Hansen. "Slowloris" (PDF). SecTheory. Retrieved 7 January 2012.
^ "PyLoris". MotomaSTYLE. 19 June 2009. Archived from the original on 15 July 2009. Retrieved 7 January 2012.
^ "Slowloris rewrite in Python". Retrieved 10 May 2017.
^ valyala. "Slowloris for nginx DoS". Retrieved 4 February 2014.
^ "How to help take down gerdab.ir in 5 easy steps". cyberwar4iran. 28 June 2009. Retrieved 7 January 2012.
^ "Full Disclosure: apache and squid dos". Seclists.org. 19 June 2009. Retrieved 7 January 2012.
^ "Testing Web Servers for Slow HTTP Attacks". qualys.com. 19 September 2011. Retrieved 13 January 2012.
^ "shekyan/slowhttptest: Application Layer DoS attack simulator". GitHub. Retrieved 19 April 2017.
^ "Simple script to check if some server could be affected by Slowloris attack". github.com/felmoltor. 31 December 2012. Retrieved 31 December 2012.
^ abilash. "Slowloris for OSX". Retrieved 8 April 2017.
^ Davis, Ethan (17 February 2018), sloww: Lightweight Slowloris attack CLI in Node, retrieved 18 February 2018
^ Bassel Shmali. "Slowloris written in .Net core".

External links

[ha.ckers.org-1] "Slowloris HTTP DoS". Archived from the original on 26 April 2015. Retrieved 26 June 2009.{{cite web}}: CS1 maint: bot: original URL status unknown (link)

[2] "Archived copy" (PDF). Archived from the original (PDF) on 1 February 2014. Retrieved 15 May 2013.{{cite web}}: CS1 maint: archived copy as title (link)

[3] "How to best defend against a "slowloris" DOS attack against an Apache web server?". serverfault.com. Retrieved 28 December 2016.

[4] "Performance testing while under attack". hiawatha-webserver.org. 28 February 2014.

[5] Zdrnja, Bojan (23 June 2009). "ISC Diary | Slowloris and Iranian DDoS attacks". Isc.sans.org. Retrieved 7 January 2012.

[6] [1] Archived 29 June 2009 at the Wayback Machine

[7] [2] Archived 11 August 2009 at the Wayback Machine

[8] Vickery, Chris (6 March 2017). "Spammergate: The Fall of an Empire". MacKeeper Security Watch. Archived from the original on 6 March 2017.

[9] Robert "RSnake" Hansen. "Slowloris" (PDF). SecTheory. Retrieved 7 January 2012.

[10] "PyLoris". MotomaSTYLE. 19 June 2009. Archived from the original on 15 July 2009. Retrieved 7 January 2012.

[11] "Slowloris rewrite in Python". Retrieved 10 May 2017.

[12] valyala. "Slowloris for nginx DoS". Retrieved 4 February 2014.

[13] "How to help take down gerdab.ir in 5 easy steps". cyberwar4iran. 28 June 2009. Retrieved 7 January 2012.

[14] "Full Disclosure: apache and squid dos". Seclists.org. 19 June 2009. Retrieved 7 January 2012.

[15] "Testing Web Servers for Slow HTTP Attacks". qualys.com. 19 September 2011. Retrieved 13 January 2012.

[16] "shekyan/slowhttptest: Application Layer DoS attack simulator". GitHub. Retrieved 19 April 2017.

[17] "Simple script to check if some server could be affected by Slowloris attack". github.com/felmoltor. 31 December 2012. Retrieved 31 December 2012.

[18] sh. "Slowloris for OSX". Retrieved 8 April 2017.

[19] Davis, Ethan (17 February 2018), sloww: Lightweight Slowloris attack CLI in Node, retrieved 18 February 2018

[20] Bassel Shmali. "Slowloris written in .Net core".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]