Slowloris is a type of
denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent
HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
The program was named after
slow lorises, a group of primates which are known for their slow movement.
Affected web servers
This includes but is not necessarily limited to the following, per the attack's author:
*
Apache
The Apache () are a group of culturally related Native American tribes in the Southwestern United States, which include the Chiricahua, Jicarilla, Lipan, Mescalero, Mimbreño, Ndendahe (Bedonkohe or Mogollon and Nednhi or Carrizaleño an ...
1.x and 2.x
* dhttpd
*
Websense "block pages" (unconfirmed)
* Trapeze Wireless Web Portal (unconfirmed)
*
Verizon's MI424-WR FIOS Cable modem (unconfirmed)
* Verizon's
Motorola Set-top box (port 8082 and requires auth - unconfirmed)
* BeeWare WAF (unconfirmed)
* Deny All WAF (patched)
*
Flask (development server)
Because Slowloris exploits
problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as
Varnish
Varnish is a clear transparent hard protective coating or film. It is not a stain. It usually has a yellowish shade from the manufacturing process and materials used, but it may also be pigmented as desired, and is sold commercially in various ...
,
nginx, and
Squid
True squid are molluscs with an elongated soft body, large eyes, eight arms, and two tentacles in the superorder Decapodiformes, though many other molluscs within the broader Neocoleoidea are also called squid despite not strictly fitting t ...
have been recommended to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,
IIS,
lighttpd,
Cherokee, and
Cisco CSS.
Mitigating the Slowloris attack
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single
IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn,
mod_qos
mod_qos is a quality of service (QoS) module for the Apache HTTP server implementing control mechanisms that can provide different priority to different requests.
Description
A web server can only serve a limited number of concurrent requests. Q ...
, mod_evasive,
mod security
ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering ...
, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.
Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.
Other mitigating techniques involve setting up
reverse proxies
In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...
,
firewalls,
load balancers or
content switch
A multilayer switch (MLS) is a computer networking device that switches on Data link layer, OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI model, OSI layers. The MLS was invented by engineers at Digital Eq ...
es. Administrators could also change the affected web server to software that is unaffected by this form of attack. For example,
lighttpd and
nginx do not succumb to this specific attack.
Notable usage
During the protests that erupted in the wake of the
2009 Iranian presidential election
Presidential elections were held in Iran on 12 June 2009, with incumbent Mahmoud Ahmadinejad running against three challengers. The next morning the Islamic Republic News Agency, Iran's news agency, announced that with two-thirds of the votes co ...
, Slowloris arose as a prominent tool used to leverage
DoS attacks against sites run by the Iranian government. The belief was that flooding
DDoS
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host
A ...
attacks would affect internet access for the government and protesters equally, due to the significant
bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth. A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir.
A variant of this attack was used by
spam
Spam may refer to:
* Spam (food), a canned pork meat product
* Spamming, unsolicited or undesired electronic messages
** Email spam, unsolicited, undesired, or illegal email messages
** Messaging spam, spam targeting users of instant messaging ( ...
network
River City Media to force
Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail
API with message sending requests, then completing them all at once.
The program was also used on October 21st, 2022 by an unknown web user referred to by the handle “Neon Demon”, shutting down website servers of well known Russian company
Gazprom
PJSC Gazprom ( rus, Газпром, , ɡɐzˈprom) is a Russian majority state-owned multinational energy corporation headquartered in the Lakhta Center in Saint Petersburg. As of 2019, with sales over $120 billion, it was ranked as the larges ...
’s websites Gazprom.com and Gazprom.ru, starting at around 4:30 PM CST. Servers were offline for at least a month.
Similar software
Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:
* PyLoris – A protocol-agnostic Python implementation supporting
Tor
Tor, TOR or ToR may refer to:
Places
* Tor, Pallars, a village in Spain
* Tor, former name of Sloviansk, Ukraine, a city
* Mount Tor, Tasmania, Australia, an extinct volcano
* Tor Bay, Devon, England
* Tor River, Western New Guinea, Indonesia
Sc ...
and SOCKS proxies.
* Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.
* Goloris – Slowloris for nginx, written in Go.
* slowloris - Distributed Golang implementation
* QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a
Qt front end.
* An unnamed PHP version which can be run from a HTTP server.
* SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.
* SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.
* Cyphon - Slowloris for Mac OS X, written in Objective-C.
* sloww - Slowloris implementation written in Node.js.
* dotloris - Slowloris written in .NET Core
*
SlowDroid
SlowDroid is the firstAlturki, A. A. U. M. A., Vivek, T. B. K. M. K., & Talcott, N. A. S. C. (2019). Resource-Bounded Intruders in Denial of Service Attacks. denial of service attack which allows a single mobile device to take down a network ser ...
- An enhanced version of Slowloris written in Java, reducing at minimum the attack bandwidth
See also
*
SlowDroid
SlowDroid is the firstAlturki, A. A. U. M. A., Vivek, T. B. K. M. K., & Talcott, N. A. S. C. (2019). Resource-Bounded Intruders in Denial of Service Attacks. denial of service attack which allows a single mobile device to take down a network ser ...
*
Trinoo
The trinoo or trin00 is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.
The first sus ...
*
Stacheldraht
Stacheldraht (German language, German for "barbed wire") is malware which performs a distributed denial-of-service (DDoS) attack. It was written by "Thomas Stacheldraht", a member of the Austrian hacker group TESO_(Austrian_hacker_group), TESO. It ...
*
Denial of service
*
LAND
*
Low Orbit Ion Cannon
Low Orbit Ion Cannon (LOIC) is an open-source network stress testing and denial-of-service attack application written in C#. LOIC was initially developed by Praetox Technologies, however it was later released into the public domain and is cur ...
*
High Orbit Ion Cannon
*
ReDoS A regular expression denial of service (ReDoS)
is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression and/or an input that takes a long time to evaluate. The attack exploits the fact that many reg ...
*
R-U-Dead-Yet
References
{{Reflist
External links
Slowloris HTTP DoShackaday on SlowlorisApache attacked by a "slow loris"article on
LWN.net
Slowloris – a short video (including a demo)Home page of SlowHTTPTestAn Attempt at Simulating SlowLoris on LOICBlog post explaining the inner workings of Slowloris
Denial-of-service attacks