Slowloris is a type of DDoS (distributed denial of service) attack wherein the attacker seeks to overwhelm the targeted servers and cause downtime by continuously sending and maintaining several simultaneous and partial HTTP connections to the server.
The Slowloris is an attack software developed by Robert “RSnake” Hansen and empowers even single computers to orchestrate big DDoS attacks. Unlike other types of DDoS attacks, it uses very minimal bandwidth. It is considered to a highly-effective and equally dangerous attack-type. It is effective against even the most popular web server software.
Due to its low bandwidth requirement, it is a cost-effective and inexpensive cyber-attack option, especially for hacktivists. Accordingly, there have been several high-profile server takedowns over the years and Slowloris will continue to be a potent tool for hacktivism in the future too.
One of the biggest Slowloris attacks and hacktivism incidents was in the 2009 Iran Presidential Elections when hacktivists from the country extensively used this software to attack and bring down government websites.
Slowloris, an application-layer attack, leverages the fact that there are web users who have slow network speeds and poor connectivity which makes their connection to the web application slow.
Slowloris works by opening several partial HTTP requests to the targeted web server and keeping these connections open simultaneously for as long as possible, without ever completing the requests. It even sends HTTP headers on a regular basis but still does not complete the requests. The attacked servers, on the other hand, keep the connection open, waiting for each of the attack requests to be completed. Once the maximum server limit in terms of the concurrent connection pool is reached, the legitimate requests for connection will be denied. The Slowloris attack, thus, fructifies and causes a denial of service.
Slowloris software is designed for stealth and efficacy and plays the ‘low and slow’ game. It waits for sockets to be released by legitimate requests and consumes them one after another, even when it is a high-volume web application/ website. Thwarting is possible in case of high-volume websites only if it is detected and legitimate sessions are re-initiated.
Unlike other types of DDoS attacks that send malicious content or malformed packets, Slowloris sends partial HTTP requests which allow it to slip past traditional scanners and detection systems.
As mentioned earlier, it costs little to the attackers as Slowloris attacks require minimal bandwidth. The software empowers a single computer to bring down an entire high-profile server. This has made them the go-to for hacktivism.
This software is can be altered to send different host headers and separately store logs for each host if the target is a virtual host.
Slowloris is capable of suppressing log file creation during an attack which enables it to catch unmonitored web servers off-guard and slip past without creating red flags in the log file entries.
DDoS attack protection against a Layer 7 attack like Slowloris in vulnerable web servers is possible through the following 2 measures which mitigate and/or reduce the impact of the attack.
AppTrana offers the industry’s only fully managed DDoS protection service wherein the power of cutting-edge technology is combined with the power of human expertise and intelligence of certified security professionals. It is a comprehensive security solution that is custom-built with surgical accuracy based on the needs and risk profile of the business.
AppTrana’s security services include infrastructure-level protection against volumetric Layer 3 and 4 attacks and always-on, instant protection against Layer 7 attacks by botnets and attack software like Slowloris on the application layer. AppTrana monitors websites and web applications 24×7 to detect anomalous activities and the security experts continuously update the rules in real-time based on alerts to mitigate DDoS attacks and ensure that web application/ website availability at all time.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.