How the low-and-slow attacks gained the notorious reputation?
Slow HTTP Post DoS attack was officially revealed to the technical community at the Open Web Application Security Project (OWASP) 2012 conference, at which Wong Onn Chee and Tom Brennan together demonstrated the power of this particular attack.
- Low-and-slow attack is launched based on the following principles:
- A client sets up a connection to an HTTP server that is accessible via HTTP and crafts an HTTP packet with the Content-Length field set to a great value.
- Instead of sending it at once, the client sends it at a rather low-speed, for example, one byte every 1–10 seconds to hold this connection open.
- If the client keeps setting up such connections, available connections on the server will run out, leading the server to deny service to legitimate users.
Low-and slow attack is more or less the same as Collapsar Challenge (CC) attack, which aims at a web server as long as it provides web services. As the HTTP protocol does not require a check on the request content before the request is received, the low-and-slow attacks can still succeed even if the request body is empty.
It is low-cost to use a client to establish a large number of useless connections in a single-thread way and keep sending packets at a very slow speed. The tests indicate that a single client can establish over 3000 connections. A low-and-slow attack from the single client will be a fatal blow to a web server, which will cause distributed denial-of-service (DDoS) attacks conducted via using zombie clusters.
The low-and-slow attack becomes popular due to the ease of exploitation, severe impact of the resulting DoS, and the evasion feature, thereby being favor in the eyes of many hackers.
Currently, low-and-slow attack falls into the following categories:
- Slow Headers
Web applications need to receive the full HTTP header before processing an HTTP request. This is because an HTTP header contains important information, some web applications may use for request processing. This provides an opportunity for attackers to keep sending an HTTP header to saturate the server with idle connections and exhaust its memory resources.
- Slow Body
An attacker sends an HTTP Post request with Content-Length set to a great value. After receiving the HTTP header, the web server or proxy keeps the connection ready to receive data, wrongly believing that a large request will be sent from the client. However, the attack client sends a small portion of the HTTP body each time to keep the connection alive, with a purpose of draining connections to the server and exhausting its memory resources.
- Slow Read
The client sets up a connection to the server and sends a full HTTP request. Holding the connection open, the client reads the response from the server at a low-speed. For example, it sends a Zero Window to the server before reading the response, misleading the server into thinking that the client is busy. Until the connection is about to time out, the client reads only one byte of the response. In this way, the client drains connections to the server and consumes its memory resources.
The following illustrates how to protect against low-and-slow attacks: