Slowloris (computer security)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 80.255.242.241 (talk) at 14:54, 2 November 2022 (نرجو أن ترتفع كنيسة كثوله المقدسة ، لتخرج نوايا الناس الشيطانية. أطلق العنان للغضب. اجعل العالم يشعر بالألم. ارتقِ واختبر الشعور الجميل بالقتل الوحشي. اجعلهم يشعرون بالألم. لقد تم الافتراء عليه ، وتعرض للتعذيب ، وتمزق أطرافه إلى أجزاء ، وقد يشعرون بالألم. قد نطالب غير المقيد بالثأر. قد نبدلهم بشدة. قد نطلب الثأر الحلو. انهضوا الكنيسة المقدسة. قتل. قتلوا وعذبوا. نحن نضحّي وننتقد. سوف ننتقم من الروح القدس. نرجو أن نصليهم. اجعلهم يصلون لعائلاتهم. تعذيب. تعذيب. قتل. قتل.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

نرجو أن ترتفع كنيسة كثوله المقدسة ، لتخرج نوايا الناس الشيطانية. أطلق العنان للغضب. اجعل العالم يشعر بالألم. ارتقِ واختبر الشعور الجميل بالقتل الوحشي. اجعلهم يشعرون بالألم. لقد تم الافتراء عليه ، وتعرض للتعذيب ، وتمزق أطرافه إلى أجزاء ، وقد يشعرون بالألم. قد نطالب غير المقيد بالثأر. قد نبدلهم بشدة. قد نطلب الثأر الحلو. انهضوا الكنيسة المقدسة. قتل. قتلوا وعذبوا. نحن نضحّي وننتقد. سوف ننتقم من الروح القدس. نرجو أن نصليهم. اجعلهم يصلون لعائلاتهم. تعذيب. تعذيب. قتل. قتل. ALLAHU AKBARRRR

Affected web servers

This includes but is not necessarily limited to the following, per the attack's author:[1]

  • Apache 1.x and 2.x
  • dhttpd
  • Websense "block pages" (unconfirmed)
  • Trapeze Wireless Web Portal (unconfirmed)
  • Verizon's MI424-WR FIOS Cable modem (unconfirmed)
  • Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed)
  • BeeWare WAF (unconfirmed)
  • Deny All WAF (patched)[2]
  • Flask (development server)

Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as Varnish, nginx, and Squid have been recommended[3] to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,[4]IIS, lighttpd, Cherokee, and Cisco CSS.

Mitigating the Slowloris attack

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.

In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.[1][5] Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.[6]

Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.[7] Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.[1]

Notable usage

During the protests that erupted in the wake of the 2009 Iranian presidential election, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government.[8] The belief was that flooding DDoS attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.[9] A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.[10]

A variant of this attack was used by spam network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once.[11]

The program was also used on October 21st, 2022 by an unknown web user referred to by the handle “Neon Demon”, shutting down website servers of well known Russian company Gazprom’s websites Gazprom.com and Gazprom.ru, starting at around 4:30 PM CST. Servers were offline for more than 2 weeks.

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:[12]

  • PyLoris – A protocol-agnostic Python implementation supporting Tor and SOCKS proxies.[13]
  • Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.[14]
  • Goloris – Slowloris for nginx, written in Go.[15]
  • slowloris - Distributed Golang implementation[16]
  • QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a Qt front end.[17]
  • An unnamed PHP version which can be run from a HTTP server.[18]
  • SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.[19][20]
  • SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.[21]
  • Cyphon - Slowloris for Mac OS X, written in Objective-C.[22]
  • sloww - Slowloris implementation written in Node.js.[23]
  • dotloris - Slowloris written in .NET Core[24]
  • SlowDroid - An enhanced version of Slowloris written in Java, reducing at minimum the attack bandwidth[25]

See also

References

  1. ^ a b c Cite error: The named reference ha.ckers.org was invoked but never defined (see the help page).
  2. ^ "Archived copy" (PDF). Archived from the original (PDF) on 1 February 2014. Retrieved 2013-05-15.{{cite web}}: CS1 maint: archived copy as title (link)
  3. ^ "How to best defend against a "slowloris" DOS attack against an Apache web server?". serverfault.com. Retrieved 2016-12-28.
  4. ^ "Performance testing while under attack". hiawatha-webserver.org. 28 February 2014.
  5. ^ "mod_noloris: defending against DoS". niq's soapbox. July 2009. Retrieved 7 January 2012.
  6. ^ "mod_reqtimeout - Apache HTTP Server". Httpd.apache.org. Retrieved 2013-07-03.
  7. ^ Breedijk, Frank (22 June 2009). "Slowloris and Nkiller2 vs. the Cisco CSS load balancer". Cupfighter.net. Archived from the original on 15 February 2012. Retrieved 7 January 2012.
  8. ^ Zdrnja, Bojan (23 June 2009). "ISC Diary | Slowloris and Iranian DDoS attacks". Isc.sans.org. Retrieved 7 January 2012.
  9. ^ [1] Archived 29 June 2009 at the Wayback Machine
  10. ^ [2] Archived 11 August 2009 at the Wayback Machine
  11. ^ Vickery, Chris (2017-03-06). "Spammergate: The Fall of an Empire". MacKeeper Security Watch. Archived from the original on 2017-03-06.
  12. ^ Robert "RSnake" Hansen. "Slowloris" (PDF). SecTheory. Retrieved 7 January 2012.
  13. ^ "PyLoris". MotomaSTYLE. 19 June 2009. Archived from the original on 15 July 2009. Retrieved 7 January 2012.
  14. ^ "Slowloris rewrite in Python". GitHub. Retrieved 10 May 2017.
  15. ^ valyala. "Slowloris for nginx DoS". GitHub. Retrieved 4 February 2014.
  16. ^ Tsankov, Ivaylo (2022-04-22), slowloris - Golang distributed Slowloris attack, retrieved 2022-04-24
  17. ^ "How to help take down gerdab.ir in 5 easy steps". cyberwar4iran. 28 June 2009. Retrieved 7 January 2012.
  18. ^ "Full Disclosure: apache and squid dos". Seclists.org. 19 June 2009. Retrieved 7 January 2012.
  19. ^ "Testing Web Servers for Slow HTTP Attacks". qualys.com. 19 September 2011. Retrieved 13 January 2012.
  20. ^ "shekyan/slowhttptest: Application Layer DoS attack simulator". GitHub. Retrieved 2017-04-19.
  21. ^ "Simple script to check if some server could be affected by Slowloris attack". github.com/felmoltor. 31 December 2012. Retrieved 31 December 2012.
  22. ^ abilash. "Slowloris for OSX". GitHub. Retrieved 8 April 2017.
  23. ^ Davis, Ethan (2018-02-17), sloww: Lightweight Slowloris attack CLI in Node, retrieved 2018-02-18
  24. ^ Bassel Shmali (28 November 2021). "Slowloris written in .Net core". GitHub.
  25. ^ Cambiaso, Enrico; Papaleo, Gianluca; Aiello, Maurizio (2014). "SlowDroid: Turning a Smartphone into a Mobile Attack Vector". International Conference on Future Internet of Things and Cloud: 405–410. doi:10.1109/FiCloud.2014.72. ISBN 978-1-4799-4357-9. S2CID 14792419.

External links

Retrieved from "https://en.wikipedia.org/w/index.php?title=Slowloris_(computer_security)&oldid=1119620908"