Over the last year, the media has been paying unusual attention to online security, in part as a result of a series of ever larger denial of service attacks. With the usual media hyperbole, they’ve been described as threatening the Internet itself, which isn’t true, but it is true that we’ve seen attacks of unprecedented size.
These attacks were distributed denial of services attacks, which use botnets of hundreds or thousands of machines to send a deluge of data that most web services cannot hope to cope with. This sort of attack relies on either the sheer number of servers under the command of the attacker, or more often on a flaw in the fabric of the Internet that allows small amounts of data to be multiplied many times over — an amplification attack, most of which leverage open recursive DNS servers or NTP servers.
There is however another sort of attack that can tie up resources on web servers, rendering them incapable of serving new requests. Unlike the large attacks of recent months, this attack, the slowloris, doesn’t require a huge number of servers or a great deal of bandwidth. In fact, for the average-sized site a successful slowloris attack can be carried out with a single server.
Slowloris attacks leverage a weakness in the way many web servers work. Process-based web servers, which include Apache and many others, but not Nginx or Litespeed, which use an event-driven approach, spawn a new process for every new connection, and each of those processes use a proportion of the server’s resources. If too many processes are spawned, then the server will become unresponsive as it runs out of RAM to allocate to new processes.
To avoid that situation, such web servers have limits on the number of connections they can accept at any one time. It’s this limitation that slowloris attacks exploit. Typically, a web server will receive a request from a browser and open an HTTP connection, spawning a process. When that request has completed, the process is terminated and the server’s resources are freed.
Slowloris attacks work by never allowing the request to be successfully completed, forcing the web server to hold open the connection and never free the resources. By sending partial HTTP requests followed up by partial HTTP headers, each process can be kept continually waiting for the request to complete.
The attacker keeps opening new connections and maintaining them in their open state. Eventually, the attacker’s connections exhaust the number of connections the web server is configured to create, and it will stop accepting new connections. The attacker has successfully prevented the web server from doing its job.
Slowloris attacks are quite difficult to defend against because there must be a limit on the number of open connections, and it can be difficult to distinguish between genuine requests and those that are deliberately crafted to consume the server’s resources. But there are mitigation tools that can be used to limit the effectiveness of slowloris attacks, including the Apache modules mod_evasive and mod_security, which are in use on our managed servers.