Articles

Slow Loris Attack

How it works ?

Slow Loris is a denial-of-service (DOS) attack, consisting in opening a large amount of connections with a target server and to busy them, in order to not let others users connect.

To realize the attack, an attacker opens severals connections to the target server and keep them alives. How ? With slowly sending the requests, hence the analogy with the slow animal, Slow Loris.

Slowloris attack Practical Slow Loris with repository gkbrk/slowloris

Why does it work ?

In everyday life, we can temporarily lose connection during the sending of a request. In the subway for example.

Servers are generally indulgents and wait for the next of your request, before a certain time when they cut connection.

The attack is going to take profit of this server-side behavior. An attacker will open connections with the target server, and he’s going to send very slowly, in parallel, one header per one header to keep the connections alives.

This way, an attacker monopolizes all the sockets of the target server, to the detriement of news connections from others users. There is denial of service.

By design, Apache/httpd is strongly hit by this kind of attack, as its create a thread for each new connection, on the contrary of NGINX which use workers threads and will be less vulnerable.

Mitigation

  • Limit the number of simultaneous connections by IP
  • Increase the server pool of connections
  • Establish a timeout for the headers and body requests.
  • Buffering : use a reverse-proxy which buffers the request and open the connection only if the request is complete.

How does OGO protect you from Slow Loris ?

With the last option, buffering. The request will be forwarded to the server only if its considered as complete.


To complete about Slow Loris, we advise this video of the prodigeous Dr. Mike Pound for the great Youtube channel Computerphile :