- This topic has 7 replies, 5 voices, and was last updated 11 years, 7 months ago by
.
-
Posts
-
-
rsnake’s done it again! He developed a DoS which utilized HTTP on a multithreaded webserver, like Apache, not IIS. He says it is possible to DoS a website with just one computer and 1,000 packets because of the way the attack occurs.
More information, including Apache’s laize faire response is here, http://ha.ckers.org/blog/20090617/slowloris-http-dos/ with the details here, http://ha.ckers.org/slowloris/.
Talk amongst yourselves…
-
This is very interesting. I haven’t looked at the code yet, but I am guessing that it would be very possible to write an IDS signature to detect this attack. However, considering how easily you can turn it on and off, blocking it may be more difficult.
Does anyone known if firewall manufacturers out there have a way to limit HTTP connection duration? I’ve been looking but haven’t found anything yet.
-
Does anyone known if firewall manufacturers out there have a way to limit HTTP connection duration? I’ve been looking but haven’t found anything yet.
You can change the default Apache settings to limit the connections. Not sure about firewalls.
EDIT—
RSnake says:
@All, we have now gone through and tested every single recommendation Apache has made on that page – even the scary experimental one that says it may take down your server in the process of it’s use, and none of them stopped Slowloris. I think we can finally move on from that part of the discussion. -
Playing with this in my lab today, which has managed to create a few worried individuals when I’ve demo’d it.
Bascially does exactly what it says on the tin, as others have pointed out you can create the same effect with existing (and old) tools, just does it in a different way. SANS ISC has just covered tool, so head there if you want more technical info.
Whilst I haven’t had opportunity to test myself, I’ve read reports of this effecting non-apache services as well depending on web-server architecture. IIS isn’t vulnerable though. If anyone can confirm additional effected services I’d appreciate the heads up, cheers.
-
I’m not sure how easy it would be to write an IDS signature for this, as the time span that you would have to track the session through could make your IDS sad. Basically what the application appears to be doing, is taking advantage of the fact that most people protect their apache (or other web server instances) by limited the number of forks/threads to ensure that the box doesn’t run out of memory. When web servers run out of memory, things turn ugly, so this tool takes advantage of that, and if the limit is not imposed, the box will probably just run out of memory anyway, taking down the whole thing anyway.
It appears to be doing this by opening up connections, sending a valid request, without sending the trailing new line that tells the web server “YO, GIMME DATA!”. By omitting that final new line, the connection remains open while the webserver waits for you to finish asking the question. Sure, it will eventually timeout, but if you send it another small header like “X-happy: 4” it will start the wait again. As this isn’t written to the log file until the request has been made, until something bad happens, there won’t be any logs indicating what is going on. A netstat will reveal the problem, and as a complete connection is required, it is easy to block the attacker, but it isn’t a flood enough of traffic to make most folks go WOH!
I could be wrong, but that’s how I read it.
-
Apollo,
that fits with the testing I’ve done in a lab.
Only mitigation I’ve found so far is as you describe, see large number of connections via netstat and block source IP at firewall (perimeter or host-based).
Not sure I like this tool, although I’ve sure the skiddies will :'( Hopefully it won’t create any major headaches for anyone.
-
@apollo wrote:
It appears to be doing this by opening up connections, sending a valid request, without sending the trailing new line that tells the web server “YO, GIMME DATA!”.
I am not great at grep, but it seems that a grep expression could be written to detect input without a new line character. If a grep expression can be written, than a Snort signature can be created. What do you guys think?
It seems to be that this would be something Apache should address. They would just have to time out the connection, even if it is technically incomplete. I am sure there are complications with this approach, especially with long running connections, like file transfer.
-
@Ketchup wrote:
@apollo wrote:
It appears to be doing this by opening up connections, sending a valid request, without sending the trailing new line that tells the web server “YO, GIMME DATA!”.
I am not great at grep, but it seems that a grep expression could be written to detect input without a new line character. If a grep expression can be written, than a Snort signature can be created. What do you guys think?
It’s a possibility, but as others have pointed out elsewhere, the lack of a newline character is just one example of how this attack vector could be implemented. Similar scripts code me coded/modified to implement this in a way that bypasses your grep or IDS rules.
Although I’m hoping someone is going to tell me I’m wrong
-
- You must be logged in to reply to this topic.
