Slowloris is a type of

denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. The program was named after

slow loris Slow lorises are a group of several species of nocturnal strepsirrhine primates that make up the genus ''Nycticebus''. Found in Southeast Asia and bordering areas, they range from Bangladesh and Northeast India in the west to the Sulu Archipe ...

es, a group of primates which are known for their slow movement.

Affected web servers

This includes but is not necessarily limited to the following, per the attack's author: *

Apache The Apache () are a group of culturally related Native American tribes in the Southwestern United States, which include the Chiricahua, Jicarilla, Lipan, Mescalero, Mimbreño, Ndendahe (Bedonkohe or Mogollon and Nednhi or Carrizaleño an ...

1.x and 2.x * dhttpd *

Websense Forcepoint, an United States, American multinational corporation software company headquartered in Austin, Texas, that develops computer security software and Information privacy, data protection, cloud access security broker, Firewall (computing) ...

"block pages" (unconfirmed) * Trapeze Wireless Web Portal (unconfirmed) * Verizon's MI424-WR FIOS Cable modem (unconfirmed) * Verizon's

Motorola Motorola, Inc. () was an American Multinational corporation, multinational telecommunications company based in Schaumburg, Illinois, United States. After having lost $4.3 billion from 2007 to 2009, the company split into two independent p ...

Set-top box (port 8082 and requires auth - unconfirmed) * BeeWare WAF (unconfirmed) * Deny All WAF (patched) *

Flask Flask may refer to: Container * Hip flask, a small container used to carry a small amount of liquid * Laboratory flask, laboratory glassware for holding larger volumes than simple test tubes ** Erlenmeyer flask, a common laboratory flask with a ...

(development server) Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as

Varnish Varnish is a clear transparent hard protective coating or film. It is not a stain. It usually has a yellowish shade from the manufacturing process and materials used, but it may also be pigmented as desired, and is sold commercially in various ...

nginx Nginx (pronounced "engine x" ) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software ...

, and

Squid True squid are molluscs with an elongated soft body, large eyes, eight arms, and two tentacles in the superorder Decapodiformes, though many other molluscs within the broader Neocoleoidea are also called squid despite not strictly fitting t ...

have been recommended to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha, IIS,

lighttpd lighttpd (pronounced "lighty") is an open-source web server optimized for speed-critical environments while remaining standards-compliant, secure and flexible. It was originally written by Jan Kneschke as a proof-of-concept of the c10k problem � ...

Cherokee The Cherokee (; chr, ᎠᏂᏴᏫᏯᎢ, translit=Aniyvwiyaʔi or Anigiduwagi, or chr, ᏣᎳᎩ, links=no, translit=Tsalagi) are one of the indigenous peoples of the Southeastern Woodlands of the United States. Prior to the 18th century, t ...

, and Cisco CSS.

Mitigating the Slowloris attack

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected. In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod_qos, mod_evasive,

mod security ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filterin ...

, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack. Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers. Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or

content switch A multilayer switch (MLS) is a computer networking device that switches on Data link layer, OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI model, OSI layers. The MLS was invented by engineers at Digital Eq ...

es. Administrators could also change the affected web server to software that is unaffected by this form of attack. For example,

and

do not succumb to this specific attack.

Notable usage

During the protests that erupted in the wake of the

2009 Iranian presidential election Presidential elections were held in Iran on 12 June 2009, with incumbent Mahmoud Ahmadinejad running against three challengers. The next morning the Islamic Republic News Agency, Iran's news agency, announced that with two-thirds of the votes co ...

, Slowloris arose as a prominent tool used to leverage

DoS DOS is shorthand for the MS-DOS and IBM PC DOS family of operating systems. DOS may also refer to: Computing * Data over signalling (DoS), multiplexing data onto a signalling channel * Denial-of-service attack (DoS), an attack on a communicatio ...

attacks against sites run by the Iranian government. The belief was that flooding

DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host A ...

attacks would affect internet access for the government and protesters equally, due to the significant

bandwidth Bandwidth commonly refers to: * Bandwidth (signal processing) or ''analog bandwidth'', ''frequency bandwidth'', or ''radio bandwidth'', a measure of the width of a frequency range * Bandwidth (computing), the rate of data transfer, bit rate or thr ...

they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth. A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir. A variant of this attack was used by

spam Spam may refer to: * Spam (food), a canned pork meat product * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ** Messaging spam, spam targeting users of instant messaging ( ...

network

River City Media A river is a natural flowing watercourse, usually freshwater, flowing towards an ocean, sea, lake or another river. In some cases, a river flows into the ground and becomes dry at the end of its course without reaching another body of wate ...

to force

Gmail Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP an ...

servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail

API An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standa ...

with message sending requests, then completing them all at once. The program was also used on October 21st, 2022 by an unknown web user referred to by the handle “Neon Demon”, shutting down website servers of well known Russian company

Gazprom PJSC Gazprom ( rus, Газпром, , ɡɐzˈprom) is a Russian majority state-owned multinational energy corporation headquartered in the Lakhta Center in Saint Petersburg. As of 2019, with sales over $120 billion, it was ranked as the larges ...

’s websites Gazprom.com and Gazprom.ru, starting at around 4:30 PM CST. Servers were offline for at least a month.

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments: * PyLoris – A protocol-agnostic Python implementation supporting

Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...

and SOCKS proxies. * Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support. * Goloris – Slowloris for nginx, written in Go. * slowloris - Distributed Golang implementation * QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a Qt front end. * An unnamed PHP version which can be run from a HTTP server. * SlowHTTPTest – A highly configurable slow attacks simulator, written in C++. * SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby. * Cyphon - Slowloris for Mac OS X, written in Objective-C. * sloww - Slowloris implementation written in Node.js. * dotloris - Slowloris written in .NET Core *

SlowDroid SlowDroid is the firstAlturki, A. A. U. M. A., Vivek, T. B. K. M. K., & Talcott, N. A. S. C. (2019). Resource-Bounded Intruders in Denial of Service Attacks. denial of service attack which allows a single mobile device to take down a network ser ...

- An enhanced version of Slowloris written in Java, reducing at minimum the attack bandwidth

References

{{Reflist

External links

Slowloris HTTP DoS

hackaday on Slowloris

Apache attacked by a "slow loris"
article on

LWN.net LWN.net is a computing webzine with an emphasis on free software and software for Linux and other Unix-like operating systems. It consists of a weekly issue, separate stories which are published most days, and threaded discussion attached to ...