Bug#533661: Mitigating the Slowloris HTTP DoS attack

To: security@apache.org
Cc: h@ckers.org, 533661@bugs.debian.org
Subject: Bug#533661: Mitigating the Slowloris HTTP DoS attack
From: Andreas Krennmair <ak@synflood.at>
Date: Sat, 20 Jun 2009 17:14:40 +0200
Message-id: <[🔎] 20090620151440.GC29366@synflood.at>
Reply-to: Andreas Krennmair <ak@synflood.at>, 533661@bugs.debian.org

Hello everyone,

Recently, the Slowloris HTTP DoS attack[0] was published, an HTTP-basedDenial-of-Service attack against webservers that consumes resources by openinga big number of parallel connections and slowly sending incomplete requestsover them. This is a very effective way of DoSing a webserver withoutgenerating a lot of network traffic or putting a high load on the web serveritself, thus making it harder to detect compared to "traditional" DoS attacksagainst webservers. Apache 1.x and 2.2.x were shown to be vulnerable againstthis kind of attack.

The key concept of the Slowloris attack is slowly sending small parts of anHTTP request, while the HTTP request is never actually completed. In contrast,the great majority of legitimate HTTP clients try to send the complete HTTPrequest as quickly as possible. Given these assumptions, I developed a simplebut effective proof of concept patch that mitigates this issue in Apache2.2.11 (the latest stable 2.2 release) as far as possible.

This patch is available under the following URL:http://synflood.at/tmp/anti-slowloris.diff

The method my PoC patch follows is that it adapts the request timeoutsdepending on the current load on the webserver: it regularly computes a loadpercentage which describes the ratio of processes that currently process HTTPrequests to the total number of available processes (the PoC patch is preforkMPM only, but should be easily adaptable to the worker MPM, too). When theload percentage reaches certain thresholds, the total request timeout iscontinuously lowered. At a load of 96 % or higher, the request timeout is setto a maximum of 1 second (at higher loads even lower), which makes slowsenders quickly run into timeouts. This behaviour frees resources for quicksenders (which are assumed to be legitimate clients in this scenario). Inorder to work around this behaviour for an attacker, the delay between sendingpackets must be reduced, which defeats one of the main goals of the Slowlorisattack, namely keeping the overall "footprint" of network traffic low.

Even in the worst case (the attacker keeps its delay times very low, I testedit with slowloris.pl and a delay of 1 second, which already generates a lot oftraffic), legitimate requests are still being responded to correctly, eventhough request completion takes noticeably longer than usual. So, the patch isneither the final nor a perfect solution, but it is practical and demonstratesthat protection against the Slowloris attack can be achieved.


Regards,
Andreas Krennmair

References:
[0]: http://ha.ckers.org/slowloris/

Reply to:

Prev by Date: Bug#533757: apache2: ports.conf should not say name-based SSL virtual hosts are not supported
Next by Date: 4 Lovemaking Positions To Have A Bteter Sensual Lovemaking Experinece
Previous by thread: Bug#533757: marked as done (apache2: ports.conf should not say name-based SSL virtual hosts are not supported)
Next by thread: 4 Lovemaking Positions To Have A Bteter Sensual Lovemaking Experinece
Index(es):
- Date
- Thread