22. DoS – Slowloris Attack

22.1 Slowloris Attack Basic Concept

The web server processes a request by analyzing the HTTP Request Header arriving from the client, and it terminates the connection after the response is sent to the client. The Web server limits the number of clients that can connect to make efficient use of system resources, including all physical and logical devices such as CPU, Memory, HDD, and other resources managed inside of the Web server. A Slowloris Attack is a technique that forces a system out of service by using the number of connections that are allowed to connect to the web server to the maximum.

If the service request is normal, the service is completed in a few seconds, and the connection is then closed. A DoS attacks, such as an HTTP Flood, requires a number of zombie PCs to issue a large number of service requests. However, a Slowloris Attack is a powerful attack that can paralyze the Web server by using only one PC. The Web server logs that are used in many of these attacks can be analyzed, so they are recorded when the header file has finished. In a Slowloris Attack, error data is transmited to the web server to prevent the header files from being analyzed, so this does not leave a foot print in the log file. Therefore, it is difficult to detect the attack.

Figure 22-1 Basic Concepts of the Slowloris Attack

A normal HTTP header is terminated by “/r/n/r/n”. When looking for “/r/n/r/n”, the Web server analyzes the header and processes the service. The headers used in the Slowloris Attack are generally ended only with “/r/n”. If the web server does not know the end of the header, it cannot analyze the header or maintain the connection in an open state. After starting the attack, the web server can be disabled within minutes.

22.2 Slowloris Attack Execution

22.2.1 Installing the pyloris Module

The Slowloris Attack was first made using a Perl script. Python provides a module called “pyloris” for web server and firewall vulnerability detection. First, download the module by connecting to “http://sourceforge.net/projects/pyloris/”. There is no need for an installation process. Simply unzip the file and move it to the directory of the command prompt in Windows. Then, it is possible to easily perform attacks by using this simple command.

22.2.2 pyloris module execution

Unzip the downloaded file in the“C:\” directory. Let’s move the the “pyloris” directory and run the following command.

 Figure 22-2 pyloris Module Execution

The pyloris module provides a UI divided into “General”, “Behavior”, “Proxy”, and “Request Body”. The sections relevant to the Slowloris attack are “General” and “Behavior”.

 Figure 22-3 pyloris Module Execution

The “General” area (1) specifies the target server and port. Here we specify the server PC using port 80. The “Behavior” area (2) contains the environmental settings to run the attack. The “Request Body” area (3) shows the content of the HTTP protocol that is to be sent to the target server. When all settings have been completed, click the “Launch” area (4) to start the attack.

The role for the behavior is as follows. 

• Attack Limit   Specify the total number of connections (current + end) that may be generated in one session • Connection Limit   Specify the total number of connections that can be used at the same time in one session • Thread Limit   Determine the total number of threads that can operate in one session • Connection Speed   Specify the speed of each connection. The unit is in bytes/second • Time between thread spawns Specify the time delay used to generate the thread • Time between the connections   Specify the time delay required to create a socket connection

Let's run the attack by clicking on the “Launch” button. The result screen is divided into two regions. The “Log” area shows the log of the program that executes the attack. The “Status” area indicates the status of the attacks that are currently running. “Attacks” indicates the number of the connections currently being used, and “Threads” refers to the number of threads that have been created so far.

 Figure 22-4 pyloris Launch Status

After one minute has passed from the moment to attack is executed, the network status in the server PC can be monitored by simply opening the command prompt in Windows and entering the “netstat -n -p TCP” command. The following shows the current TCP connection state. 

 Figure 22-5 Server PC Network Status

The number of connections that are currently active will show an excessive amount of output. Therefore, we can check the specific number by using the following command. The results for the “netstat -n -p tcp | find /c TCP” command indicate the number of attacks in the “Status” area for the pyloris program. Usually more than 300 results are indicated, which is enough to make Web services on port 80 fall into an out-of-service state. 

Figure 22-6 Webservice Call Result

To end the test, click the “Stop Attack” button in “Status” area. After all of the connections have been terminated, the web server will return to normal service. A primary defense is possible in order to increase the number of maximum connections or to limit the number that may come from one IP connection. The secondary defense involves installing a security device that can check Layer 7, such as a Web firewall, to block the inflow of headers that have an error.