Putting On the Brakes

The Hypertext Transfer Protocol (HTTP) forms the foundation for communication between web browsers and web servers. Slowloris [1] initially follows the usual procedure of an HTTP connection, but then disrupts processing of the request by sending an incomplete HTTP request at a very slow speed, as follows: (1) Slowloris uses TCP to open a client connection to the target server; (2) instead of sending a full HTTP request directly to the server, Slowloris begins a request and then continuously, but very slowly, adds headers without ever completing the request; (3) the server fields all of the header data and waits for the request to complete, keeping the connection alive; and finally, (4) because the server can only process a limited number of simultaneous connections, a large number of slow connections render the server unable to accept connections from other clients.

Immune Out of the Box

Not all modern web servers are susceptible to Slowloris attacks. The default configuration of today's most commonly used web server, NGINX, is basically immune, not just because of the settings, but because of the server architecture. NGINX uses an event-oriented asynchronous architecture that, above all, does not maintain a thread to handle each open connection and only needs a minimal amount of memory for each connection.

The client_header_timeout and client_body_timeout configuration options let you tell NGINX the intervals at which a client needs to send data when opening a connection. If the client fails to keep pace, NGINX responds with a timeout error with HTTP error code 408. However, this also means that you could make the NGINX server even more vulnerable if you configure it incorrectly.

The best-known web server besides Microsoft's Internet Information Server (IIS; which is rarely used and has a market share south of five percent) is the Apache HTTP daemon. By default, Apache keeps established connections open for a long time and maintains a separate process or thread for each request. Whereas the IIS headerWaitTimeout configuration option sets the wait time for header data as a function of how the connection is opened, Apache uses the TimeOut directive to look at the time since the last packet was received [2].

Modular Extensions for Apache

Apache version 2.2 and newer has a mod_reqtimeout extension that lets you configure the RequestReadTimeout option, which you can use to set different request-specific timeouts globally across the server or for individual virtual hosts. The following line tells Apache to wait a maximum of 10 seconds to receive header data; the limit is set at 30 seconds; and the wait is extended by one second for every 500 bytes received:

RequestReadTimeout header=10-30, MinRate=500

If you use the Apache mod_security extension, you can also configure the connection-specific parameters.

Pentesting a Web Server

If you run a web server or are responsible for web server operations in your organization, you will naturally want to know how it responds in the event of an attack. Before you deploy Slowloris, make sure you have permission to run tests against the target server. In an ideal case, the IT department – or you yourself – will be able to provide a non-production shadow server for initial tests. If this is not possible, you could use Docker to set up one or two web servers on your localhost for your tests.

To install the Python implementation of Slowloris on your system, use the command

pip3 install slowloris

If you cannot install (e.g., because you cannot install the package globally) or if you want to take a look at the code before using it, simply clone the Slowloris repository,

git clone https://github.com/gkbrk/slowloris.git

change to the directory, and run Slowloris when you get there.