Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. The program was named after slow lorises, a group of primates which are known for their slow movement.

Affected web servers

This includes but is not necessarily limited to the following, per the attack's author: *

Apache The Apache () are a group of culturally related Native American tribes in the Southwestern United States, which include the Chiricahua, Jicarilla, Lipan, Mescalero, Mimbreño, Ndendahe (Bedonkohe or Mogollon and Nednhi or Carrizaleño an ...

1.x and 2.x * dhttpd * Websense "block pages" (unconfirmed) * Trapeze Wireless Web Portal (unconfirmed) * Verizon's MI424-WR FIOS Cable modem (unconfirmed) * Verizon's Motorola Set-top box (port 8082 and requires auth - unconfirmed) * BeeWare WAF (unconfirmed) * Deny All WAF (patched) * Flask (development server) Because Slowloris exploits problems handling thousands of connections, the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as

Varnish Varnish is a clear transparent hard protective coating or film. It is not a stain. It usually has a yellowish shade from the manufacturing process and materials used, but it may also be pigmented as desired, and is sold commercially in various ...

, nginx, and

Squid True squid are molluscs with an elongated soft body, large eyes, eight arms, and two tentacles in the superorder Decapodiformes, though many other molluscs within the broader Neocoleoidea are also called squid despite not strictly fitting t ...

have been recommended to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha, IIS, lighttpd, Cherokee, and Cisco CSS.

Mitigating the Slowloris attack

While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected. In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn,

mod_qos mod_qos is a quality of service (QoS) module for the Apache HTTP server implementing control mechanisms that can provide different priority to different requests. Description A web server can only serve a limited number of concurrent requests. Q ...

, mod_evasive,

mod security ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering ...

, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack. Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers. Other mitigating techniques involve setting up

reverse proxies In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...

, firewalls, load balancers or

content switch A multilayer switch (MLS) is a computer networking device that switches on Data link layer, OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI model, OSI layers. The MLS was invented by engineers at Digital Eq ...

es. Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.

Notable usage

During the protests that erupted in the wake of the

2009 Iranian presidential election Presidential elections were held in Iran on 12 June 2009, with incumbent Mahmoud Ahmadinejad running against three challengers. The next morning the Islamic Republic News Agency, Iran's news agency, announced that with two-thirds of the votes co ...

, Slowloris arose as a prominent tool used to leverage DoS attacks against sites run by the Iranian government. The belief was that flooding

DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host A ...

attacks would affect internet access for the government and protesters equally, due to the significant bandwidth they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth. A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir. A variant of this attack was used by

spam Spam may refer to: * Spam (food), a canned pork meat product * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ** Messaging spam, spam targeting users of instant messaging ( ...

network River City Media to force Gmail servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail API with message sending requests, then completing them all at once. The program was also used on October 21st, 2022 by an unknown web user referred to by the handle “Neon Demon”, shutting down website servers of well known Russian company

Gazprom PJSC Gazprom ( rus, Газпром, , ɡɐzˈprom) is a Russian majority state-owned multinational energy corporation headquartered in the Lakhta Center in Saint Petersburg. As of 2019, with sales over $120 billion, it was ranked as the larges ...

’s websites Gazprom.com and Gazprom.ru, starting at around 4:30 PM CST. Servers were offline for at least a month.

Similar software

Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments: * PyLoris – A protocol-agnostic Python implementation supporting

Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...

and SOCKS proxies. * Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support. * Goloris – Slowloris for nginx, written in Go. * slowloris - Distributed Golang implementation * QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a Qt front end. * An unnamed PHP version which can be run from a HTTP server. * SlowHTTPTest – A highly configurable slow attacks simulator, written in C++. * SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby. * Cyphon - Slowloris for Mac OS X, written in Objective-C. * sloww - Slowloris implementation written in Node.js. * dotloris - Slowloris written in .NET Core *

SlowDroid SlowDroid is the firstAlturki, A. A. U. M. A., Vivek, T. B. K. M. K., & Talcott, N. A. S. C. (2019). Resource-Bounded Intruders in Denial of Service Attacks. denial of service attack which allows a single mobile device to take down a network ser ...

- An enhanced version of Slowloris written in Java, reducing at minimum the attack bandwidth

References

{{Reflist

External links