Slow Loris is Layer 7 Application (Protocol Attack) it was developed by Robert “RSnake” Hansen don’t be fooled by its power even a single computer could have the ability to take down a full web server single handedly Slowloris is a simple and powerful /DDOS attack it is also known as a low-and-slow Slowloirs is named after the Slowloris nocturnal primates that have the ability to twist and extend there neck to allow a large reach to branches on trees etc. Slowloris deliver a highly toxic bite and reproduce at a very slow rate.
Slowloris requires very little bandwidth and has very little to non side effects on services and ports.
A DOS attack is a denial of service attack that is aimed at disputing the server from serving any new requests to new visitors.
A DDOS (Distributed Denial of Service) attack is similar to a DOS attack but has multiple attacking nodes.
For example imagine 20 people blocking a door and 1 person trying to get in.
Low-and-slow attacks are hard to detect and can quite often bypass Firewall and security as they just look like any normal HTTP request would giving the server administrator false sense of judgment as everything looks normal as the GET requests are being received Slowloris sends requests but never actually completes the requests.
Around 55% of web servers around the world run on Apace it is one the vendors most effected by Slowloris back in the days when Apace was designed due to human assumption no one thought this could be possible as it was a valid HTTP headers that were being sent to the operator everything appeared to be running as it should and was often overlooked as connections were often slow and apace would assume we just had a bad connection or running in a environment such as dial up.
Servers vulnerable to Slowloris are Apace, dhttp, Websense, Taptose Wireless Web Panel and other popular vendors because the exploits the server at a extremely slow rate Proxying Servers and Servers that have a large number of connections ngnix is recommended but it still has its weakness due to Slowloris ability to be stealthy when handling and sending GET requests..
If all connections are open no other connection requests will be served due to serving all the threads attempts out to Slowloris.
When sockets die and get closed Slowloris opening up recurring connections until it owns all the request threads when we send a GET request to a server the server & receiving node it is often sent in text with a little meta-data and headers to gain information about the environment such as browsing agents.
By sending a GET requests to the server at a really slow rate so that the connection threads open up begin to fill up until it reaches the maximum thread / server request limit so when a legitimate visitors tries to load the page there request will not be served.
By sending the data an an extremely slow rate we would think the server would eventually time out to prevent time out Slowloris sends a couple of very small bytes of data just before the connection is about to die telling the server that processes are still pending the rate Slowloris sends data packets out is 100 bytes per minute.
As users disconnect from the web server Slow Loris will then fill them requests and keep the requests open for as long as possible until it owns all concurrent threads once the thread limit is reached new connections trying to reach the site will be dismissed as all the threads are concurrently owned by Slowloris if a user manages to some how connect to the server Slowloris will then repeat the process.
In the event of a Virtual Host running Slowloirs can be modified to send custom host headers logs are stored separately for each Virtual Host giving Slowloris the ability to suppress its log files from being created giving the advantage to catch unmonitored servers of guard without warning appearing in the log files.
You can test how your server holds up against these types of attacks by using OWASP HTTP Post Tool is a software used for testing slow HTTP headers
Today I will show you how to use Slowloris.
Open up a new terminal.
# python3 slowloris.py example.com
This command will start Slowloris attack on the website specified.
Protection against Low-and-Slow attacks
- Lower Timeout
- Increase Max request workers
- Accept Filter Buffer HTTP requests at Kernel Level
- Set Request Read Timeout
- Considering switching to Event MPM Mode
If you use Cloudflare enable I’m under attack mode from your Control Panel