Low-and-Slow Attacks

How the low-and-slow attacks gained the notorious reputation?

By Jiong Liu (John)

Slow HTTP Post DoS attack was officially revealed to the technical community at the Open Web Application Security Project (OWASP) 2012 conference, at which Wong Onn Chee and Tom Brennan together demonstrated the power of this particular attack.

  • Low-and-slow attack is launched based on the following principles:
  • A client sets up a connection to an HTTP server that is accessible via HTTP and crafts an HTTP packet with the Content-Length field set to a great value.
  • Instead of sending it at once, the client sends it at a rather low-speed, for example, one byte every 1–10 seconds to hold this connection open.
  • If the client keeps setting up such connections, available connections on the server will run out, leading the server to deny service to legitimate users.

Low-and slow attack is more or less the same as Collapsar Challenge (CC) attack, which aims at a web server as long as it provides web services. As the HTTP protocol does not require a check on the request content before the request is received, the low-and-slow attacks can still succeed even if the request body is empty.

It is low-cost to use a client to establish a large number of useless connections in a single-thread way and keep sending packets at a very slow speed. The tests indicate that a single client can establish over 3000 connections. A low-and-slow attack from the single client will be a fatal blow to a web server, which will cause distributed denial-of-service (DDoS) attacks conducted via using zombie clusters.

The low-and-slow attack becomes popular due to the ease of exploitation, severe impact of the resulting DoS, and the evasion feature, thereby being favor in the eyes of many hackers.

Currently, low-and-slow attack falls into the following categories:

  • Slow Headers

Web applications need to receive the full HTTP header before processing an HTTP request. This is because an HTTP header contains important information, some web applications may use for request processing. This provides an opportunity for attackers to keep sending an HTTP header to saturate the server with idle connections and exhaust its memory resources.

  • Slow Body

An attacker sends an HTTP Post request with Content-Length set to a great value. After receiving the HTTP header, the web server or proxy keeps the connection ready to receive data, wrongly believing that a large request will be sent from the client. However, the attack client sends a small portion of the HTTP body each time to keep the connection alive, with a purpose of draining connections to the server and exhausting its memory resources.

  • Slow Read

The client sets up a connection to the server and sends a full HTTP request. Holding the connection open, the client reads the response from the server at a low-speed. For example, it sends a Zero Window to the server before reading the response, misleading the server into thinking that the client is busy. Until the connection is about to time out, the client reads only one byte of the response. In this way, the client drains connections to the server and consumes its memory resources.

The following illustrates how to protect against low-and-slow attacks:

Traditional cleaning devices provide threshold-based protection against CC attacks. The protection process is as follows: If the number of requests from a client exceeds the specified threshold during a given period, the cleaning device returns a verification code or special JavaScript code. A legitimate user will type the displayed code for login, while DDoS tools used on zombies by hackers to simulate a great number of HTTP requests fail to parse the returned data, let alone the JavaScript code. Therefore, when the cleaning device captures the HTTP request and returns JavaScript code, the attack fails due to the lack of JavaScript code parsing.

Sometimes, even returning the verification code or JavaScript code by cleaning devices cannot defeat low-and-slow attacks. According to characteristics of this type of attacks, you can also take the following means to fight against them: 1. Calculate the number of packets. It is an abnormal phenomenon to find too many or too few HTTP requests on a single TCP connection in a given period. The former is probably a low-and-slow attack, while the latter is potentially a CC attack. 2. Specify the maximum time allowed to receive an HTTP header. If the entire HTTP header failed to be transmitted when the specified time limit is exceeded, it is likely that a low-and-slow attack happens. The protection workflow of low-and-slow attack shows below.

Low-and-Slow Attack Protection Workflow

Zujun Xu

Zujun Xu, Senior Security Consultant in NSFOCUS is responsible to provide security solutions for NSFOCUS global business. With 15 years’ experience in IT industry and more than 10 years in IT security sector, He is dedicating in researching, managing and developing products including NSFOCUS ADS, NTA and ADSM. He has expertise in providing solutions for customers to deal with numbers of network attacks, which enable him to have well insights of DDoS mitigation solution, current challenging and future development. He is also a fan of running, hiking and travelling.

This slideshow requires JavaScript.

NSFOCUS at WHD.GLOBAL 2015, Rust, Germany

WorldHostingDays is the world’s largest series of events for the hosting and cloud service market. The first event of this series took place in Germany more than 10 years ago. The annual WHD.global in Germany remains the biggest and most important global gathering with thousands of attendees from 85 countries. NSFOCUS participated at WHD.global in Rust, […]

NSFOCUS DDoS Threat Report Reveals IoT-Connected Devices Contributing to the Rise in SSDP-based Reflection Attacks

NSFOCUS released its bi-annual DDoS Threat Report today, revealing new attack findings and rising threats that organizations should be aware of throughout 2015. As the tide of distributed denial-of-service (DDoS) attacks continues to expand, the rise of the Internet of Things (IoT) and the influx of network connected devices, such as webcams and routers, are leading to the growth of Simple Service Discovery Protocol (SSDP)-based amplification attacks. To download the entire report, visit HERE

Results of statistical analysis and key observations are based on data from actual incidents of DDoS attacks that occurred during the second half of 2014. This data was collected from a mix of global enterprises, Internet service providers, regional telecom operators and Internet hosting companies.

  • The rise of IoT-connected devices responsible for an increase in SSDP reflection attacks: With the proliferation of the Internet of Things, any network-connected device with a public IP address and vulnerable operating system will increase the number of devices that could be used to launch SSDP–based reflection attacks. This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based attacks, in 2H2014. More than 30 percent of compromised SSDP attack devices were network-connected devices such as home routers and webcams. Findings also revealed that globally, more than 7 million SSDP-controlled devices could potentially be exploited.
  • Attackers are becoming smarter: While 90 percent of DDoS attacks lasted less than 30 minutes, one attack lasted 70 hours. This shorter attack strategy is being employed to improve efficiency as well as distract the attention of IT personnel away from the actual intent of an attack: deploy malware and steal data. These techniques indicate that today’s attacker continues to become smarter and more sophisticated.
  • Online retailers, media and gaming remain top targets: As retailers, entertainment and gaming companies increasingly employ online environments, consumers demand the highest level of quality of service. By slowing down or flooding these servers, attackers look to take advantage of online businesses through a variety of means, including blackmail, unfair business competition or asset theft.