What is Slowloris?
Developed by Robert “RSnake” Hansen, Slowloris is DDoS attack software that enables a single computer to take down a web server. Due the simple yet elegant nature of this attack, it requires minimal bandwidth to implement and affects the target server’s web server only, with almost no side effects on other services and ports.
Slowloris has proven highly-effective against many popular types of web server software, including Apache 1.x and 2.x.
Over the years, Slowloris has been credited with a number of high-profile server takedowns. Notably, it was used extensively by Iranian ‘hackivists’ following the 2009 Iranian presidential election to attack Iranian government web sites.
Slowloris works by opening multiple connections to the targeted web server and keeping them open as long as possible. It does this by continuously sending partial HTTP requests, none of which are ever completed. The attacked servers open more and connections open, waiting for each of the attack requests to be completed.
Periodically, the Slowloris sends subsequent HTTP headers for each request, but never actually completes the request. Ultimately, the targeted server’s maximum concurrent connection pool is filled, and additional (legitimate) connection attempts are denied.
By sending partial, as opposed to malformed, packets, Slowloris can easily slip by traditional Intrusion Detection systems.
Named after a type of slow-moving Asian primate, Slowloris really does win the race by moving slowly and steadily. A Slowloris attack must wait for sockets to be released by legitimate requests before consuming them one by one.
For a high-volume web site, this can take some time. The process can be further slowed if legitimate sessions are reinitiated. But in the end, if the attack is unmitigated, Slowloris—like the tortoise—wins the race.
If undetected or unmitigated, Slowloris attacks can also last for long periods of time. When attacked sockets time out, Slowloris simply reinitiates the connections, continuing to max out the web server until mitigated.
Designed for stealth as well as efficacy, Slowloris can be modified to send different host headers in the event that a virtual host is targeted, and logs are stored separately for each virtual host.
More importantly, in the course of an attack, Slowloris can be set to suppress log file creation. This means the attack can catch unmonitored servers off-guard, without any red flags appearing in log file entries.
Methods of mitigation
Imperva’s security services are enabled by reverse proxy technology, used for inspection of all incoming requests on their way to the clients’ servers.
Imperva’s secured proxy will not forward any partial connection requests—rendering all Slowloris DDoS attack attempts completely and utterly useless.
Learn more about Imperva DDoS Protection services.