June 26, 2009 at 12:30Slow Lori attack on Apache web server
Slow Lori is an animal that lives in Southeast Asia and is known for its slowness and measured movements. According to it, a new DoS and DDoS attack on the Apache web server was named.
This type of attack was published by RSnake security specialist on June 17 and is described in detail on the page http://ha.ckers.org/blog/20090617/slowloris-http-dos. The
attack consists in sending very slowly new HTTP headers within one HTTP request, never ending it.
Since Apache allocates resources for a request very early, a “full” number of resources is spent on one such request. Same as for a regular query.
As you know, Apache uses either processes or a mixture of processes with threads to process requests. Using threads will allow you to delay death, but somehow Apache will run into a memory limit or a limit set by the administrator.
What is most unpleasant, the Slowlori attack leaves no traces, except for a huge number of open connections with the ESTABLISHED status. There will be no entries even in access_log.
Initially, the Apache developers did not react very actively to the RSnake message on the mailing list, telling him that this attack has long been known and is a minus not the web server itself, but rather the TCP stack. However, in the future, Apache web server developers stirred and began to actively discuss ways to solve the problem.
State machine based web servers are not affected by this attack. Thus, the easiest way to protect yourself from a Slowlori attack is to use a two-tier architecture, when the first on the way is a web \ proxy server based on a state machine, such as nginx.
Other possible solutions are Access HTTP filters in FreeBSD, the use of cunning rules on the firewall, which, at the same time, can cut off legitimate slow users.
In addition to the actual architecture changes, Apache developers agree on the need for smaller, local timeouts. At the moment, Apache 2.2 implements one common timeout, affecting almost all IO actions.
For more information, see the httpd-dev mailing listand in an article not yet open for public access on LWN.
This type of attack was published by RSnake security specialist on June 17 and is described in detail on the page http://ha.ckers.org/blog/20090617/slowloris-http-dos. The
attack consists in sending very slowly new HTTP headers within one HTTP request, never ending it.
Since Apache allocates resources for a request very early, a “full” number of resources is spent on one such request. Same as for a regular query.
As you know, Apache uses either processes or a mixture of processes with threads to process requests. Using threads will allow you to delay death, but somehow Apache will run into a memory limit or a limit set by the administrator.
What is most unpleasant, the Slowlori attack leaves no traces, except for a huge number of open connections with the ESTABLISHED status. There will be no entries even in access_log.
Initially, the Apache developers did not react very actively to the RSnake message on the mailing list, telling him that this attack has long been known and is a minus not the web server itself, but rather the TCP stack. However, in the future, Apache web server developers stirred and began to actively discuss ways to solve the problem.
State machine based web servers are not affected by this attack. Thus, the easiest way to protect yourself from a Slowlori attack is to use a two-tier architecture, when the first on the way is a web \ proxy server based on a state machine, such as nginx.
Other possible solutions are Access HTTP filters in FreeBSD, the use of cunning rules on the firewall, which, at the same time, can cut off legitimate slow users.
In addition to the actual architecture changes, Apache developers agree on the need for smaller, local timeouts. At the moment, Apache 2.2 implements one common timeout, affecting almost all IO actions.
For more information, see the httpd-dev mailing listand in an article not yet open for public access on LWN.