Slowloris DoS (Slow DoS) Vulnerability

Denial-of-service (DoS) attack aims to exhaust the resources of the service like bandwidth, CPU, memory or causing it to crash so as to block access of the website or other Internet services to the "legitimate" users.

Slowloris is a type of denial of service attacking tool that allows a single attacker to take down a web server with minimal bandwidth and side effects on unrelated services and ports. This tool was invented by Robert "RSnake" Hansen. Slowloris DoS operates at Layer 7 (i.e. Application Layer) according to OSI model.

It tries to send subsequent HTTP headers, periodically, but never completes the request. It can be done by opening connections to the target web server by sending sending a partial request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. A Slowloris DOS also known as Slow Dos attack is a potential threat for the server. First step is to understand how this type of attack works and effects it can cause your server.

Why Slow Dos is a problem:

• These connections generally looks like legitimate user connections, so it is hard to distinguish these bogus connections from the genuine ones.
• The customary Rate detection techniques aren’t that capable to detect these attacks.
•  IPS/IDS that rely on signatures will in general not recognize them either.
• This kind of attack involves few resources and for execution little bandwidth.

How Slow Dos Attack Works: Slow HTTP DoS attack depends on the information of client requests that a Web server will easily accept. Attacker looks for loophole in the security protocol. The invader motive is to send genuine requests to keep the server resources busy and handling the request for the longest time. If the attacker adds too much requests, the server will stop responding.

Impact of Slow Dos: Slow Dos attack results into genuine users denied service of a web server. This results in revenue loss and negative image of organisation. Clients won’t trust you due to unavailability of the server and access the needed data, resulting into company loss.

POC: We can test whether the web server is vulnerable to slow Dos by using nmap script.
Script used: nmap --script=http-slowloris-check.nse <vulnerable server IP>.

To test and perform this attack use tool called slowhttptest. This tool opens and keeps customizable slow connections with the targeted server and resulting out the limitations and weaknesses of the server.

Cmd: slowhttptest -c 4090 -H -g -o my_header_stats -i 10 -r 200 -t GET –u <Vulnerable URL> -x 24 -p 3

MITIGATION: First defence against Slowloris is use of hardware load balancer with SSL encryption offload to perform delayed binding.

 NetFilter can be used to limit the rate of incoming connections coming from a particular host and can also deploy Apache module called mod_antiloris for prevention.

Drop connections with HTTP methods that are not supported by the URL.

Limit the minimum incoming data rate. Drop the connection that is slower than the limited rate.

For more mitigation consider the following URL for Reference: https://www.funtoo.org/Slowloris_DOS_Mitigation_Guide