Slowloris is a common name for an application-layer denial-of-service (DoS) cyberattack that targets thread-based web servers. The Slowloris attack works by using up the entire connection pool on the target web server. Another name for this type of attack is a slow HTTP DoS attack.
The name Slowloris comes from the name of a proof-of-concept attack tool originally created by Robert RSnake Hansen in 2009, while slow loris itself is the general name for a group of nocturnal primates from Southeast Asia that are known for moving extremely slowly. This attack technique has been used in many real-world attacks. For example, it was used by Iranian hacktivists to attack Iranian government sites after the 2009 presidential election.
There are two basic types of web server software, differing in the way they handle HTTP connections: thread-based servers (e.g. Apache, Microsoft IIS, dhttpd) and event-based servers (e.g. Nginx, lighttpd). Thread-based servers are designed to handle a smaller number of connections than event-based servers. For example, the default number of concurrent connections for an Apache installation is only 150, compared to 512 for Nginx.
A web server considers a connection open until it has received all the HTTP headers and the entire body for a request, or until the connection times out. The default timeout for an Apache connection is 300 seconds (for Nginx, it’s only 60 seconds). At default settings, this means an attacker only has to generate 150 open connections in Apache at roughly the same time to leave the server unable to accept any other legitimate requests for at least 5 minutes.
As a result, all it takes to perform a DoS attack against a thread-based web server with a default configuration and no additional protection modules is to initiate a sufficient number of incoming requests. If the requests (usually unfinished HTTP GET connections) arrive not from a single computer but from several sources, as with a botnet, this becomes a distributed denial-of-service (DDoS) attack.
The slow HTTP POST DDoS/DoS attack is a variation of the Slowloris attack that uses POST rather than GET requests and is much harder to mitigate. In a slow HTTP POST attack, the attacker keeps all the malicious connections alive to prevent them from timing out:
The slow HTTP POST attack and the tool used to conduct it are often called R U Dead Yet or the R.U.D.Y. attack, named after the original attack tool developed later.
A slow HTTP DoS attack may not be detected by intrusion detection systems (IDS) because it does not contain any malformed requests. Each HTTP request will seem legitimate to the IDS, even if it’s not closed.
The only effective way to spot a Slowloris attack is to monitor HTTP connection patterns to spot large numbers of connection attempts, long connection durations, unusually high numbers of partial HTTP requests, high server resource utilization, and other server anomalies related to bandwidth or capacity.
Note that while experimental checks were developed in the past to determine if a server is vulnerable to Slowloris attacks, the success of a real-life attack also depends on other factors, such as the server configuration and connection quality, making any checks unreliable and prone to false positives. Load testing is the only realistic way to find out if your web server can resist slow HTTP attacks, so this is not considered a typical web vulnerability but rather a configuration issue.
The Apache HTTP server is the most common target of slow HTTP DoS attacks. Listed below are three popular and easily implemented mitigations for slow HTTP DoS attacks (both Slowloris and R.U.D.Y.) against Apache servers. You can implement one or several of these methods and potentially combine them with other mitigation techniques, such as load balancers, reverse proxies, rate limiting, etc.
Also note that the Slowloris attack is an application-layer rather than network-layer type of DDoS attack. One example of network-layer attacks are SYN flood attacks, where an attacker sends malicious TCP SYN segments during a TCP three-way handshake. DDoS protection methods implemented at the network level to protect against such threats (commonly offered by cloud or DNS providers) are ineffective against slow HTTP DoS attacks.
Apache HTTP Server versions 2.2.15 and higher have a mod_reqtimeout module. You can use this to set timeouts for receiving the HTTP request header and body from a client. If a client fails to send header or body data within the configured time, the server replies with a 408 REQUEST TIMEOUT error.
Example configuration:
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>
In this configuration:
The mod_qos module is a separate extension for the Apache HTTP Server, not included with the official Apache distribution. You can use it to assign different priorities to different HTTP requests.
Example configuration to protect against slow HTTP DoS:
<IfModule mod_qos.c>
# maximum number of different client IP addresses
QS_ClientEntries 100000
# maximum number of connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections
MaxClients 256
# number of occupied TCP connections to disable keep-alive
QS_SrvMaxConnClose 180
# minimum request/response speed
QS_SrvMinDataRate 150 1200
</IfModule>
In this configuration:
The mod_security module is a separate web application firewall (WAF), not included with the official Apache distribution.
Example configuration to protect against slow HTTP DoS:
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass,
setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop,
msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'1234123457'"
In this configuration:
Slowloris attacks are denial-of-service attacks against web servers that generate lots of open connections by leaving HTTP requests open for a long time. Slowloris affects thread-based servers like Apache and Microsoft IIS but not event-based servers like Nginx. Slowloris is an application-layer DoS attack.
Attacks such as Slowloris or R.U.D.Y. can render the target server completely unresponsive, denying access to data and functionality. This can mean lost business and have a negative impact on the reputation of a company or institution. Unlike other types of DoS attacks, application-layer attacks usually can’t be detected or prevented using typical DDoS protection mechanisms offered by cloud providers, and they also evade cybersecurity solutions such as IPS.
Find out more about a similar application-layer attack called R.U.D.Y.
To mitigate Slowloris attacks against an Apache server, you can use several different modules: mod_reqtimeout to set timeouts for receiving the HTTP request headers and body from a client, mod_qos to assign different priorities to different HTTP requests, and mod_security to detect attack attempts.