In this article, we are looking at how Dos attack works. There are many tools out there for the Dos purpose, which also varies in the type of platform they effect. Like if we talk about Pyloris(http Based), LOIC(TCP,UDP,Http), R-U-DEAD-YET( targets the web server resources) and many others. These tools works just fine. But a nice tool is the one which can go undetected for longer and can give really appreciative results. One of those tools that we are going to discuss right now is Slowloris.
What is Slowloris tool?
It is a Dos attack tool for web servers developed by Robert “RSnake” Hansen and was announced on the blog ha.ckers.org in 2009. This is an HTTP dos attack tool not a TCP dos tool but it does make a legit TCP connection with the victim server. This tool can work as a single soldier to take down the web server. It require minimal bandwidth and works on only web-servers.
How does it work?
Slowloris sends partial HTTP request,and none of them are completed. It holds the connection open while sending incomplete HTTP request. The server have to hold the connection and waits for the complete header from the client but client never sends that instead the client send spurious header and this set timeout counters with each incomplete request. Slowloris tries to keep the multiple connection open for a long period of time with the server. This tool is specially crafted for certain vulnerability with servers which use process thread. Apache server is thread based means once we use Slowloris on Apache,the server would get wait for the client request for completing connection but the client would keep delaying that and hence server process threads would stay busy with the incomplete headers by the attacker and the legit users will not be able to use the resources on the web server.
But why Apache?Not just Apache is getting hurt by the attack but there are plenty more web server which have a specific architecture based on which they are being attacked by Slowloris. It takes down the server slowly but have huge effect on the server.
The architecture that I’m talking about above is timeout. The web server waits for a certain amount of time for a particular request to complete before it can open a new connection. The Apache web server have the timeout of 300 seconds which we can change which means this tool can tied up the connection for about 300 seconds after which it again sends the spurious header and set the connection timeout back again to 300 seconds. This is the nasty thing to do for a web server.
- Client ——–Sends spurious and incomplete request to the server—->Server
- Server——–>wait for the complete request till 300 seconds
- Client ——–>Also waits for the timeout to complete and then again send fake incomplete header.
- Server ——–>again gets bond with the client’s incomplete request.
But the question is how server knows the request header is incomplete? You would know it if you have knowledge about HTTP headers and connection. In each HTTP header, the end of header is marked by CRLF(Carriage Return and Line Feed) denoted by (\r\n\r\n).The HTTP header use two CRLF to show end of the header which denotes the complete request but in case of Slowloris, it doesn’t add another last blank line which is denoted by (\r\n) to show the end of header and hence server perceive it as incomplete header and set the timeout for the request.
The most beautiful part of Slowloris is it goes undetectable by IDS because it sends a legitimate request, most of the time even if the owner knows that someone is Dos-ing his/her server, It would be really hard for them to differentiate it as it doesn’t log as malicious activity.
A disadvantage of Slowloris is that it has to wait for the server to freed up the connection so that it could make connection with the server. It can make consume all the available http connections on the server, but before it could make a connection the server http connections should be free for slowloris’s connection.
There are several articles online telling you about the mitigation of such an attack,Reverse-proxy before the webserver would help in many cases. It require for the attacker to continuously run the attack to cause DOS because once the script is stopped, the http connections will be available for legit users after the timeout.
For DOS, this is an effective way because IPS and IDS system cannot detect the Slowloris due to its legit request type.
Let’s try Slowloris:
I am showing the below simulation using DE-ICE and Kali virtual machines.
- Download Slowloris from github:https://github.com/llaera/slowloris.pl
- To run unzip the zipped file and we are ready to go:
This is what you actually need to do and then we can just let it run until it slowly tied up all the available http connections.
NOTE:This is just a noob alert, If you don’t understand the width of something which is destructive,Don’t use it!
The most important part that I want to show you people is the actual CRLF which states the incomplete header connection,I am using Wireshark to capture the packets between these connection.
In the first connection,I will be showing you the header for basic connection between my browser and the web-server:
The above two screenshots are taken from a genuine connection that occurs during the http conection.
The screenshots below has been taken while Slowloris script was running and as we can see the the two lines for CRLF are missing here and hence the server still waits for further data by the client.
Stay Anonymous 🙂