Slowloris is a tool to DoS (Denial of Service) an HTTP(S) web server without performing a traditional high-bandwidth “flood” approach. I’ll give you some background on how Slowloris is so effective, even today, and how to protect your Apache servers from this type of attack. This article is geared towards users with Ubuntu or Debian Linux servers running Apache2. Other systems may require slight modifications to the instructions, feel free to comment and ask for distro-specific examples.
What is Slowloris and why should I care?
Typically, in DoS attacks, the attacker would try to flood the victim web server by either exhausting its bandwidth or by exhausting its processing capacity. If I send enough packets to a server with enough attacking clients (DDoS), the server will not be able to process the amount of data it is receiving or their upstream connection bandwidth will end up being saturated. These attacks can be very difficult if, for instance, the victim servers are very powerful or load-balanced and the victim has a very large connection to their provider (lots of bandwidth available).
Slowloris takes a very different approach that requires minimal bandwidth and is equally effective against the biggest, baddest servers or the old Compaq beige-box hosting your cat’s website. It’s all about how their HTTP server reacts to new connections. In fact, the developer of Slowloris, RSnake, mentioned at DefCon 17 that the bandwidth usage is “so low that if it’s a high-traffic website your load will actually go down in the process“.
Slowloris will defeat the accf_http filters and affects both Apache 1.x and Apache 2.x servers. It is effective because it will initiate an HTTP POST request connection with the target web server but leave off the last (second) “\r\n” segment of the header so that the server will think that it should wait for the remaining data to be sent. This causes the server to allocate a socket and thread to the connection and wait for this data that will never come. This ties up TCP connections for the server until all available sockets/threads are in-use and will begin denying or ignoring new connections. DoS complete.
How can I stop a Slowloris attack?
mod_qos is an Apache module that allows for the management of Apache resources, a perfect candidate to thwart something that slowly exhausts Apache resources. Before making these changes, I would really suggest running a Slowloris attack against your own servers to get a feel for just how effective this slow attack can be. You can find the downloads for Slowloris in the link at the beginning of this article.
First off, lets install the module and open its configuration file for writing (as root).
root@p-web-01:/etc/apache2# apt-get install libapache2-mod-qos
root@p-web-01:/etc/apache2# vi /etc/apache2/mods-available/qos.conf
Replace the contents of the qos.conf file with the following suggested configurations.
<IfModule mod_qos.c>
# handles connections from up to 100000 different IPs (200,000*150bytes=30MB needed)
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 75% of the TCP connections are occupied:
QS_SrvMaxConnClose 192
# minimum request/response speed (deny keeping connections open without requesting anything)
QS_SrvMinDataRate 150 1200
</IfModule>
Now simply restart your Apache service.
root@p-web-01:/etc/apache2# service apache2 restart
I would suggest re-running a Slowloris attack against your servers again and see the difference. This may require some tweaking (ClientEntries, for instance, can be dependent on available resources as well as expected traffic) but should provide a good base-line.
If the mod has be successfully installed and configured, you will see the following entries in your Apache2 error logs during a Slowloris attack:
[Sun Feb 23 13:08:18 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=162, this connection=47, c=172.16.0.1
[Sun Feb 23 13:08:18 2014] [error] [client 172.16.0.1] request failed: error reading the headers
Also check out the video from DefCon 17 where RSnake gives a really great overview of how he designed Slowloris. http://vimeo.com/7618090