New Denial-Of-Service Attack Cripples Web Servers By Reading Slowly

A researcher today published proof-of-concept code that takes a different spin on the slow HTTP denial-of-service (DoS) attack simply by dragging out the process of reading the server's response -- and ultimately overwhelming it.

Sergey Shekyan, senior software engineer with Qualys, also has added this new so-called Slow Read attack to his open-source slowhttptest tool.

Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.

Shekyan's Slowhttptest attack tool initially was inspired by related open-source tools Slowloris and OWASP's Slow HTTP Post. Slowloris keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, while the Slow HTTP POST distributed DoS (DDoS) tool simulates an attack using POST headers with a legitimate "content-length" field that lets the Web server know how much data is arriving. Once the headers are sent, the POST message body is transmitted slowly, thus gridlocking the connection and server resources.

[Slow HTTP attacks can be a lethal form of denial-of-service to Web servers. See Researcher To Release Free 'Slow HTTP Attack' Tool.]

Slow HTTP attacks are gaining in popularity among the bad guys as a way to quietly wage a DoS attack because these exploits are relatively easy to perform, require minimal computing resources, and often are tough to detect until it's too late.

"There are three or four ways to easily DoS an Apache server now [with the addition of Slow Read]," says an industry source who requested anonymity. "We see it fairly frequently ... It happens to the majority of our customers at least once every few months, if not more often."

Those organizations that deploy inline load balancers or rate-limiting traffic parameters are typically fairly protected from a full-blown DoS, but not all organizations have such resources to help mitigate a DoS or DDoS.

Qualys' Shekyan says attackers today are combining old-school, lower-layer SYN Flood DDoS attack methods with the application-layer ones that exploit HTTP traffic. "And the more techniques you combine in an attack, the more effective it is," he says.

He says his Slow Read attack slows down the HTTP response reading phase by exploiting the design of TCP, which keeps the connection open even if there's little or no data flowing there. And this attack is harder to detect than the Slow HTTP attack. "It's very hard to catch these attacks. If you're not monitoring your network layer, those requests look the same as your requests from legitimate clients," he says.

To successfully pull off a Slow Read DoS, the attacker must know the server's "send" buffer size and craft a smaller "receive" buffer. TCP's default server buffer size ranges from 65 KB to 129 KB, Shekyan noted. "We need to make the server generate a response that is larger than the send buffer. With reports indicating the Average Web Page Approaches 1MB, that should be fairly easy. Load the main page of the victim’s Web site in your favorite WebKit-based browser like Chrome or Safari and pick the largest resource in Web Inspector," he wrote in his proof-of-concept post.

Meanwhile, some fixes are available to various Web server DoS attacks. "But they can often be a major pain to implement. Sometimes it's changing the Web server, sometimes it's using an inline proxy, and sometimes it's just a matter of the HTTP spec being too lax," the industry source says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.