Slowloris is a type of denial of service attack tool invented by Robert “RSnake” Hansen which allows a single machine to take down another the machine’s web server with minimal bandwidth and side effects on unrelated services and ports.

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

How does a Slowloris attack work?

Slowloris is an application layer attack that operates by utilizing partial HTTP requests. The attack functions by opening connections to a targeted Web server and then keeping those connections open as long as it can.

Slowloris is not a category of attack but is instead a specific attack tool designed to allow a single machine to take down a server without using a lot of bandwidth. Unlike bandwidth-consuming reflection-based DDoS attacks such as NTP amplification, this type of attack uses a low amount of bandwidth, and instead aims to use up server resources with requests that seem slower than normal but otherwise mimic regular traffic. It falls in the category of attacks are known as “low and slow” attacks.

The targeted server will only have so many threads available to handle concurrent connections. Each server thread will attempt to stay alive while waiting for the slow request to complete, which never occurs. When the server’s maximum possible connections have been exceeded, each additional connection will not be answered and denial-of-service will occur.

A Slowloris attack occurs in 4 steps:

  1. The attacker first opens multiple connections to the targeted server by sending multiple partial HTTP request headers.
  2. The target opens a thread for each incoming request, with the intent of closing the thread once the connection is completed. To be efficient, if a connection takes too long, the server will timeout the exceedingly long connection, freeing the thread up for the next request.
  3. To prevent the target from timing out the connections, the attacker periodically sends partial request headers to the target to keep the request alive. In essence saying, “I’m still here! I’m just slow, please wait for me.”
  4. The targeted server is never able to release any of the open partial connections while waiting for the termination of the request. Once all available threads are in use, the server will be unable to respond to additional requests made from regular traffic, resulting in denial-of-service.

The key behind a Slowloris is its ability to cause a lot of trouble with very little bandwidth consumption.

How to prevent a slowloris attack?

  1. Use Hardware Load Balancers that accept only full HTTP connections.
  • Using hardware load balancers with an HTTP profile configured will be the best method to stop such an attack.
  • Because the load balancer will inspect the packet’s and will forward only those HTTP requests to the webserver which are complete.
  • If you are using an F5 based BIG-IP Load Balancer I recommend reading the below link for mitigating slowloris attacks.
  • Another Load balancer’s like the Citrix NetScaler and Cisco CSS can be configured with an HTTP profile to mitigate such an attack.
  1. Protect your web server by using IPtables by limiting connections from a particular host
  • You can certainly limit the number of connections with the help of tables to port 80. For example, if suppose I want to block

iptables -A INPUT -p tcp –syn –port 80 -m connlimit –connlimit-above 30 -j DROP

  1. Configure the timeout directive in apache
  • Although this is not at all a good solution, you can still increase the rate with which your web server will reap inactive connections.
  • You can simply modify the timout directive in /etc/httpd/conf/httpd.conf file.
  • Reducing it to a lower value will at least make the attack difficult(but still the attack can take down the server, by increasing the number of requests)