This attack is very difficult to detect by a firewall for example because all these are valid HTTP requests, but they are super slow. And then it does this again and again and keeps that connection going as long as it can.Īnd then does the same process for as many connections as it can open, essentially hogging all the available connections to the server with painfully slow HTTP GET requests. This is like saying "Hey, I am still here, but I have a really bad internet connection!". And as the server is about to close the connection due to timeout, it sends say the first character of the file it requires. It sends a request to a host, without completing it, and then it waits. The problem comes not if we send no data, but we send some data, but painfully slowly. This will release the resources for that connection in order to serve someone else.
The server will wait a certain amount of time, and then will let the connection go free. Say that we are browsing a site from our phone, and we lose internet connection for some reason.
A server has a built-in timeout for each request. The attacker splits the HTTP GET request in as many packets as possible, and sends them as slow as possible.Īnd now Jimmy you might say, "Ok, I know that servers have a timeout built-in for each request. Instead of sending requests as fast as possible, it sends requests as slow as possible. The slow loris is a kind of slow and low attack invented by RSnake in 2009. Can I send requests so slowly, that I just bore them to death? And the answer is yes, yes you can! The idea of a slow loris attack is very simple. This marks the end of the headers, allowing the server to process the request the moment it receives this empty line. This conversation will continue back and forth until we load the page and all of its assets.Ī sample HTTP/1.1 GET request header will look like that:Įnter fullscreen mode Exit fullscreen mode And the server will send us the file we requested. Then we will send a new GET request and we will say "Hey I need logo.png now". We will send a GET request to the website, and we say "Hey I want index.html". Now let's make a quick and dirty recap on how HTTP/1.1 GET requests work. Server - Client Communication with HTTP/1.1 Since such attacks use legitimate requests traditional firewall filtering rules do not play well. Such a kind of attack is very difficult to mitigate, especially for smaller organizations with limited infrastructure. If you don't, it will just laugh in your face. If you manage to send enough the machine will go down. As many requests as possible all at the same time. Some modern attacks use techniques such as DNS amplification in order to maximize the impact of the attack.īut the main idea behind a DoS attack remains the same. Here instead of a single computer, you utilize a bunch of them in order to simultaneously send as many requests as possible to the machine on the other side. Since the machine has a finite amount of resources, if you manage to send more requests than it can handle, the server will go down.Ī distributed denial-of-service or DDoS attack, is the next level. The idea behind this attack is that you are trying to crash the machine that is on the business end of this attack, by sending as many requests as possible. In order to understand how such an attack works, let's refresh some basics ( too bored, show me now)Ī denial-of-service or DoS attack is an attack in which the attacker, seeks to make a machine or network unavailable to its intended users by disrupting the services of the host, either temporarily or indefinitely. Slow loris is a denial of service attack that can wreck havoc in unprotected thread-based web servers such as Apache, created in 2009, by a guy named RSnake (and is one of my favorite DoS attacks 😆)
The cover image is a real life slow loris.
0 kommentar(er)
