Post by liam on Jun 4, 2016 22:26:09 GMT
What the attack is
Slowloris is a type of denial of service attack invented by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Affected web servers
This affects a number of webservers that use threaded processes and set a limit on the number of threads/processes that can be automatically spawned in order to keep from exhausting the memory on the server. This limit is intended to keep the server from slowing down due to lack of memory on the machine, but under this particular attack, the solution of the "use too much memory" problem is maliciously leveraged to cause an "all the permitted threads are busy" problem.
The server says "well, I can't start too many threads, or I will run out of memory. I will therefore set a limit, say, 200, and refuse to start more threads if I have 200 currently serving a request." The attacker says "Ok, fine...I'll just submit 200 requests that talk to the server in a deliberately slow way, taking up all the lines you made available."
This includes but is not necessarily limited to the following:
Apache 1.x
Apache 2.x
dhttpd
WebSense "block pages" (unconfirmed)
Trapeze Wireless Web Portal (unconfirmed)
Verizon's MI424-WR FIOS Cable modem (unconfirmed)
Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed)
BeeWare WAF (unconfirmed)
Deny All WAF (patched)
Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well:
Hiawatha
IIS
lighttpd
Squid
NGINX
Cherokee
Cisco CSS
Varnish
Mitigating the Slowloris attack
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general these involve increasing the maximum number of clients the webserver will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod_security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack/ Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.
Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.
Slowloris is a type of denial of service attack invented by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Affected web servers
This affects a number of webservers that use threaded processes and set a limit on the number of threads/processes that can be automatically spawned in order to keep from exhausting the memory on the server. This limit is intended to keep the server from slowing down due to lack of memory on the machine, but under this particular attack, the solution of the "use too much memory" problem is maliciously leveraged to cause an "all the permitted threads are busy" problem.
The server says "well, I can't start too many threads, or I will run out of memory. I will therefore set a limit, say, 200, and refuse to start more threads if I have 200 currently serving a request." The attacker says "Ok, fine...I'll just submit 200 requests that talk to the server in a deliberately slow way, taking up all the lines you made available."
This includes but is not necessarily limited to the following:
Apache 1.x
Apache 2.x
dhttpd
WebSense "block pages" (unconfirmed)
Trapeze Wireless Web Portal (unconfirmed)
Verizon's MI424-WR FIOS Cable modem (unconfirmed)
Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed)
BeeWare WAF (unconfirmed)
Deny All WAF (patched)
Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well:
Hiawatha
IIS
lighttpd
Squid
NGINX
Cherokee
Cisco CSS
Varnish
Mitigating the Slowloris attack
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general these involve increasing the maximum number of clients the webserver will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive, mod_security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack/ Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.
Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.