2. Resource Exhaustion – Slow DOS Attacks
Goal of Attacker:
• Exhaust pool of available TCP connections on server so that no new legitimate
connections can be established
Types of Attacks:
• Slow Header Attacks
• Slow POST Attacks
• Slow Read Attacks
3. Slow Header Attacks
Sends HTTP headers very slowly and never completes the header send
process.
4. Slow Header Attacks
Tools
• Slowloris (Pyloris, QSlowloris)
• OWASP HTTP Post Tool
• Slowhttptest
Who is Affected?
• Any server that does not have HTTP header timeouts (notably Apache 1.x/2.x)
How to Mitigate
• Web server settings (max conns, conns/IP, min bps/conn, max total transfer time)
• Switch to non-affected web server (ex: IIS)
• Reverse proxy / SLB device
• CDNs – CDN edge nodes usually do not take action until all headers are read
5. Slow POST Attacks
Sends HTTP POST body very slowly and never completes the POST body
process.
6. Slow POST Attacks
Tools
• R-U-Dead-Yet (RUDY)
• OWASP HTTP Post Tool
• Slowhttptest
Who is Affected?
• Any site that has forms (login, comments, feedback, etc.) and accepts HTTP POSTs
How to Mitigate
• Set max POST body size of each form
• Web server settings (max conns, conns/IP, min bps/conn, max total transfer time)
• WAF
7. WAF – Slow POST Additional Details
Inspection Buffer
• Usually up to 8KB by default is inspected
• If POST is larger than configured buffer, overrun content is uninspected and
unmeasured
Best Practices
• Increase buffer size if larger than 8KB POSTs are expected
• Set max POST body size so that larger POSTs will be denied
Note: If max body size < buffer size then all content will be inspected
8. Slow Read Attacks
Keeps server sockets busy by throttling down the receipt of large HTTP
responses.
9. Slow Read Attacks
Tools
• Slowhttptest
• Nkiller2
• Sockstress
Who is Affected?
• Any TCP-based application
How to Mitigate
• Web server settings (max conns, conns/IP, min bps/conn, max total transfer time)
• WAF