SLOWLORIS: HTTP DOS(Denial Of Service)attack and prevention
A DDOS(Distributed Denial of Service) attack is one of the major problem, that organizations are dealing with today.
Such a kind of attack is very difficult to mitigate, especially for small organizations with small infrastructure. The main difficulty in dealing with DDOS attack is the fact that, traditional firewall filtering rules does not play well. The main reason behind this problem is that, most of the time the attacking machines(machine's that take part in a DDOS attack, and becomes part of a bot-net) are large in number and are from diverse geographical locations.
And one major point is that the request type mostly used to take down a service appears legitimate, but the large magnitude of requests will make the service offline for legitimate requests.
A recent attack tool revealed in 2009 by RSnake gained a lot of popularity in security forum's and groups. The main reason is the fact that, this tool requires no bandwidth to launch an attack.
The basic idea behind the tool revealed by RSnake is that it only affects the targeted http service, without affecting other services that's running on the server.
The name "SLOWLORIS" does fit perfect for the tool, due to the simple fact, that it can single handedly takedown a web server by slowly by consuming all connections on the server.
To understand how this tool, works i will recommend to read my post on "HTTP request and response" before going ahead with this, because a basic understanding of HTTP working is very much necessary for this.
Traditional DDOS attack tools and methods target to consume the system resources by opening too much TCP connections to the server. However SLOWLORIS is not a TCP DOS attack tool, but a http DOS attack tool.
Slowlos works by making partial http connections to the host(but the TCP connections made by slowloris during the attack is a full connection which is a legitimate tcp connection.)
Slowloris tries to keep an http session active continuously for a long period of time. Its a very well known fact that, web server's like Apache works on a threaded or a process based model. Due to which the server will become unavailable for new requests, if all the threads, or processes of a web server are consumed.
Which web-server's are affected by slowloris attack?
Apache (1.x & 2.x)
dhttpd
Goahead web server
Web server's that work on an event based architecture like nginx are not affected by a slowloris attack.
It seems that IIS is also is not affected by a slowloris attack(although not tested by us).
How does slowloris http dos attack work?
An in depth understanding of http request and response is very much necessary to comprehend this attack tool.
Because it exploits a vulnerability in the web server(which was purposely made by the authors for different advantages like serving requests for a slow connection ) which wait for a complete header to be received.
Apache & some other web server's have a mechanism of timeout. An Apache web server will wait for this specified timeout duration for the completion of a request( if the request was incomplete ).
This timeout value is by default 300 seconds, but is modifiable. This timeout value is very much useful if a website serve's large files for download through http(because it maintains an active http connection of a slow client without breaking the download).
But imagine a situation if somebody purposely send partial http requests and reset the timeout counter of each request by sending some bogus data very frequently.
That's exactly what slowloris does. It sends partial http request with bogus header's. Once all connections are consumed by sending partial requests, it keeps on maintaining the connection's by sending request data and reseting the timout counter.
A complete GET request looks like something below.
GET / HTTP/1.0[CRLF]
User-Agent: Wget/1.10.2 (Red Hat modified)[CRLF]
Accept: */*[CRLF]
Host: 192.168.0.103[CRLF]
Connection: Keep-Alive[CRLF][CRLF]
What are those CRLF in that get request?
CRLF stands for CR (Carriage Return) and LF (Line Feed). This character is an entity which is non printable, used to denote end of the line.
Even when you are typing on a text editor the editor puts a CRLF at the end of a line when you want a new line after that.
And two CRLF characters together is used to denote a blank line.
In the above shown GET request there are two CRLF characters at the end of the "Connection"header(which means a blank line). In http protocol, a blank line after the header's is used to represent the completion of the header.
Slowloris tool takes advantage of this in implementing its attack. It does not send a finishing blank line, which indicates the end of the http header.
Some web server's give higher priority to those requests which are complete in its header's. This is the reason why IIS is not affected by a slowloris attack.
An incomplete request send by the slowloris script is shown below. This below snippet is taken from the slowloris script
"GET /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
In the above snippet shown \r\n is used to denote carriage return and newline in perl. Two consecutive "\r\n\r\n", should be there to denote a blank line, which is not there. So thats an incomplete header in HTTP.
Slowloris perl script http dos attack and its usage
You can find the slowloris script from ha.ckers.org
Copy the script and run it against any of your web server for testing. Most of the apache web server's are vulnerable against this kind of an attack.
The usage of the script is quite simple as shown below.
[root@localhost ~]# ./slowloris.pl -dns www.example.com
How to prevent/protect/mitigate a slowloris attack?
1. Use Hardware Load Balencers that accepts only full http connections.
Using hardware load balencer's with an http profile configured will be the best method to stop such an attack.
Because the loadbalencer will inspect the packet's and will forward only those http request to the web server which are complete.
If you are using a F5 based BIG-IP Load Balencer i recommend reading the below link for mitigating slowloris attacks.
Mitigate Slowloris on BIG-IP F5 Load Balencer
Other Load balencer's like the below ones also can be configured with http profile to mitigate such an attack
Citrix NetScaler
Cisco CSS
2. Protect your web server by using IPtables by limiting connections from a particular host
You can certainly limit the number of connections with the help of iptables to port 80. For example if suppose i want to block
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 30 -j DROP
3. Configure the timeout directive in apache
Although this is not at all a good solution, you can still increase the rate with which your web server will reap inactive connections.
You can simply modify the timout directive in /etc/httpd/conf/httpd.conf file.
Reducing it to a lower value will atleast make the attack difficult(but still the attack can take down the server, by increasing the number of requests)
This is not at all a good solution.
4.mod_antiloris apache module
Another good solution that i tested is an apache module called as mod_antiloris. This module can be installed using the below steps.
[root@localhost ~]# wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2/download
[root@localhost ~]# tar -xvjf mod_antiloris-0.4.tar.bz2
mod_antiloris-0.4/
mod_antiloris-0.4/ChangeLog
mod_antiloris-0.4/mod_antiloris.c
[root@localhost ~]# cd mod_antiloris-0.4
[root@localhost mod_antiloris-0.4]# apxs -a -i -c mod_antiloris.c