.

Slowloris HTTP DoS on Apache webservers

<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Jun 18, 2009 6:27 am

Slowloris HTTP DoS on Apache webservers

rsnake's done it again!  He developed a DoS which utilized HTTP on a multithreaded webserver, like Apache, not IIS.  He says it is possible to DoS a website with just one computer and 1,000 packets because of the way the attack occurs.

More information, including Apache's laize faire response is here, http://ha.ckers.org/blog/20090617/slowloris-http-dos/ with the details here, http://ha.ckers.org/slowloris/.

Talk amongst yourselves...
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Jun 18, 2009 7:26 am

Re: Slowloris HTTP DoS on Apache webservers

This is very interesting.  I haven't looked at the code yet, but I am guessing that it would be very possible to write an IDS signature to detect this attack.  However, considering how easily you can turn it on and off, blocking it may be more difficult. 

Does anyone known if firewall manufacturers out there have a way to limit HTTP connection duration?  I've been looking but haven't found anything yet.
~~~~~~~~~~~~~~
Ketchup
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Thu Jun 18, 2009 7:40 am

Re: Slowloris HTTP DoS on Apache webservers

Does anyone known if firewall manufacturers out there have a way to limit HTTP connection duration?  I've been looking but haven't found anything yet.


You can change the default Apache settings to limit the connections. Not sure about firewalls.

EDIT---

RSnake says:
@All, we have now gone through and tested every single recommendation Apache has made on that page - even the scary experimental one that says it may take down your server in the process of it’s use, and none of them stopped Slowloris. I think we can finally move on from that part of the discussion.
Last edited by ethicalhack3r on Thu Jun 18, 2009 9:10 am, edited 1 time in total.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Jun 18, 2009 10:20 am

Re: Slowloris HTTP DoS on Apache webservers

Playing with this in my lab today, which has managed to create a few worried individuals when I've demo'd it.

Bascially does exactly what it says on the tin, as others have pointed out you can create the same effect with existing (and old) tools, just does it in a different way. SANS ISC has just covered tool, so head there if you want more technical info.

Whilst I haven't had opportunity to test myself, I've read reports of this effecting non-apache services as well depending on web-server architecture. IIS isn't vulnerable though. If anyone can confirm additional effected services I'd appreciate the heads up, cheers.
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Thu Jun 18, 2009 11:19 am

Re: Slowloris HTTP DoS on Apache webservers

I'm not sure how easy it would be to write an IDS signature for this, as the time span that you would have to track the session through could make your IDS sad.  Basically what the application appears to be doing, is taking advantage of the fact that most people protect their apache (or other web server instances) by limited the number of forks/threads to ensure that the box doesn't run out of memory.  When web servers run out of memory, things turn ugly, so this tool takes advantage of that, and if the limit is not imposed, the box will probably just run out of memory anyway, taking down the whole thing anyway. 

It appears to be doing this by opening up connections, sending a valid request, without sending the trailing new line that tells the web server "YO, GIMME DATA!".  By omitting that final new line, the connection remains open while the webserver waits for you to finish asking the question. Sure, it will eventually timeout, but if you send it another small header like "X-happy: 4"  it will start the wait again.  As this isn't written to the log file until the request has been made, until something bad happens, there won't be any logs indicating what is going on.  A netstat will reveal the problem, and as a complete connection is required, it is easy to block the attacker, but it isn't a flood enough  of traffic to make most folks go WOH! 

I could be wrong, but that's how I read it.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Jun 19, 2009 3:16 am

Re: Slowloris HTTP DoS on Apache webservers

Apollo,

that fits with the testing I've done in a lab.

Only mitigation I've found so far is as you describe, see large number of connections via netstat and block source IP at firewall (perimeter or host-based).

Not sure I like this tool, although I've sure the skiddies will :'( Hopefully it won't create any major headaches for anyone.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Jun 19, 2009 7:31 am

Re: Slowloris HTTP DoS on Apache webservers

apollo wrote:It appears to be doing this by opening up connections, sending a valid request, without sending the trailing new line that tells the web server "YO, GIMME DATA!". 


I am not great at grep, but it seems that a grep expression could be written to detect input without a new line character.  If a grep expression can be written, than a Snort signature can be created.  What do you guys think?

It seems to be that this would be something Apache should address.  They would just have to time out the connection, even if it is technically incomplete.  I am sure there are complications with this approach, especially with long running connections, like file transfer. 
~~~~~~~~~~~~~~
Ketchup
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Jun 19, 2009 10:21 am

Re: Slowloris HTTP DoS on Apache webservers

Ketchup wrote:
apollo wrote:It appears to be doing this by opening up connections, sending a valid request, without sending the trailing new line that tells the web server "YO, GIMME DATA!". 

I am not great at grep, but it seems that a grep expression could be written to detect input without a new line character.   If a grep expression can be written, than a Snort signature can be created.  What do you guys think?


It's a possibility, but as others have pointed out elsewhere, the lack of a newline character is just one example of how this attack vector could be implemented. Similar scripts code me coded/modified to implement this in a way that bypasses your grep or IDS rules.

Although I'm hoping someone is going to tell me I'm wrong

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software