Of course, other techniques for preventing and mitigating slow HTTP DoS attacks exist, for example involving the use of load balancers and iptables. Following are descriptions of three of the most popular and easiest to implement techniques. Preventing and Mitigating Slow HTTP Attacks in the Apache HTTP ServerĪ number of techniques exist for preventing and mitigating slow HTTP DoS attacks in the Apache HTTP server. When running a scan on a website that is vulnerable to a slow HTTP DoS attack, an alert is raised that looks similar to the following one: The Acunetix Web Vulnerability Scanner is capable of identifying slow HTTP vulnerabilities such as CVE-2007-6750.
They are not effective against event-based web servers such as nginx and lighttpd, which are built to handle large numbers of concurrent connections. Slow HTTP DoS attacks are only effective against thread-based web servers such as Apache, dhttpd, or Microsoft IIS. Identifying and Mitigating Slow HTTP Attacks The HTTP request will seem legitimate to the IDS. To make matters worse, a slow HTTP DoS attack is not commonly detected by Intrusion Detection Systems (IDS) because it does not contain any malformed requests. While some thread-based servers such as Apache use a timeout when they wait for incomplete HTTP requests, it is set to 300 seconds by default and reset as soon as the client sends the rest of the data. A slow HTTP DoS attack takes advantage of this by never sending a finishing blank line to complete the HTTP header. The HTTP protocol defines a blank line as the completion of a header. Similar to text editors, an HTTP request uses a at the end of a line to start a fresh line and two sequences to denote a blank line.
The CRLF ( Carriage Return + Line Feed) is a sequence of non-printable characters that is used to denote the end of a line.
User-Agent: Mozilla/5.0 (Windows NT 6.1 WOW64) AppleWebKit/537.36 (KHTML, like Gecko) A complete HTTP GET request resembles the following: GET /index.php HTTP/1.1 How it worksĪn analysis of an HTTP GET request helps further explain how and why a slow HTTP DoS attack is possible. This breed of DoS attack is different from other DoS/DDoS attacks such as SYN flood attacks, which misuse the TCP SYN (synchronization) segment during a TCP three-way handshake.
This technique lets an attacker consume server resources and restrict access using very little bandwidth. Naturally, if an attacker occupies all available HTTP connections for a web server and keeps them busy waiting, legitimate connections cannot be processed by the server and this causes a denial of service. If the attacker keeps every HTTP request open and feeds the server bogus data before the timeout is reached, the HTTP connection will remain open until the attacker closes it. In a slow HTTP POST attack, the attacker declares a large amount of data to be sent in an HTTP POST request and then sends it very slowly.Ī malicious user can open many connections to the server by initiating HTTP requests but not closing them. A variation of this vulnerability is the slow HTTP POST vulnerability. It takes advantage of a vulnerability in thread-based web servers, which wait for entire HTTP headers to be received before releasing the open connection. A slow HTTP Denial of Service attack (DoS), otherwise referred to as the Slowloris HTTP attack, makes use of HTTP GET requests to occupy all available HTTP connections permitted by a web server.