Slowloris is a type of DDoS (distributed denial of service) attack wherein the attacker seeks to overwhelm the targeted servers and cause downtime by continuously sending and maintaining several simultaneous and partial HTTP connections to the server.

The Slowloris is an attack software developed by Robert “RSnake” Hansen and empowers even single computers to orchestrate big DDoS attacks. Unlike other types of DDoS attacks, it uses very minimal bandwidth. It is considered to a highly-effective and equally dangerous attack-type. It is effective against even the most popular web server software.

Due to its low bandwidth requirement, it is a cost-effective and inexpensive cyber-attack option, especially for hacktivists. Accordingly, there have been several high-profile server takedowns over the years and Slowloris will continue to be a potent tool for hacktivism in the future too.

One of the biggest Slowloris attacks and hacktivism incidents was in the 2009 Iran Presidential Elections when hacktivists from the country extensively used this software to attack and bring down government websites.

How does a Slowloris attack happen?

Slowloris, an application-layer attack, leverages the fact that there are web users who have slow network speeds and poor connectivity which makes their connection to the web application slow.

Slowloris works by opening several partial HTTP requests to the targeted web server and keeping these connections open simultaneously for as long as possible, without ever completing the requests. It even sends HTTP headers on a regular basis but still does not complete the requests. The attacked servers, on the other hand, keep the connection open, waiting for each of the attack requests to be completed. Once the maximum server limit in terms of the concurrent connection pool is reached, the legitimate requests for connection will be denied. The Slowloris attack, thus, fructifies and causes a denial of service.

What makes this attack-type highly effective and equally dangerous?

Slowloris software is designed for stealth and efficacy and plays the ‘low and slow’ game. It waits for sockets to be released by legitimate requests and consumes them one after another, even when it is a high-volume web application/ website. Thwarting it is possible in case of high-volume websites only if it is detected and legitimate sessions are re-initiated.

Unlike other types of DDoS attacks which send malicious content or malformed packets, Slowloris sends partial HTTP requests which allow it to slip past traditional scanners and detection systems.

As mentioned earlier, it costs little to the attackers as Slowloris attacks require minimal bandwidth. The software empowers a single computer to bring down an entire high-profile server. This has made them the go-to for hacktivism.

This software is can be altered to send different host headers and separately store logs for each host if the target is a virtual host.

Slowloris is capable of suppressing log file creation during an attack which enables it to catch unmonitored web servers off-guard and slip past without creating red flags in the log file entries.

Ways to mitigate Slowloris

DDoS attack protection against a Layer 7 attack like Slowloris in vulnerable web servers is possible through the following 2 measures which mitigate and/or reduce the impact of the attack.

  1. Limit incoming requests based on usage factors: The access to the vulnerable web servers can be restricted based on certain usage factors such as maximum duration, number of connections that can be made from a single IP address, transfer speeds and so on. These techniques will help in reducing the effectiveness of Slowloris. For instance, by fixing a limit on the maximum duration a client can stay connected on a banking website, they can severely restrict the effectiveness of a Slowloris This is because the attacker will keep getting logged out after the set duration.
  2. Hire a DDoS protection service: By doing so, the business can put in place a comprehensive cybersecurity strategy and security measures that will go beyond individual measures and provide holistic security solutions against cyber-attacks including Slowloris.

How does AppTrana provide DDoS attack protection against Slowloris?

AppTrana offers the industry’s only fully managed DDoS protection service wherein the power of cutting-edge technology is combined with the power of human expertise and intelligence of certified security professionals. It is a comprehensive security solution that is custom-built with surgical accuracy based on the needs and risk profile of the business.

AppTrana’s security services include infrastructure-level protection against volumetric Layer 3 and 4 attacks and always-on, instant protection against Layer 7 attacks by botnets and attack software like Slowloris on the application layer. AppTrana monitors websites and web applications 24×7 to detect anomalous activities and the security experts continuously update the rules in real-time based on alerts to mitigate DDoS attacks and ensure that web application/ website availability at all time.