03:51 PM
Connect Directly

New Denial-Of-Service Attack Cripples Web Servers By Reading Slowly

'Slow Read' proof-of-concept and tool released Thursday

A researcher today published proof-of-concept code that takes a different spin on the slow HTTP denial-of-service (DoS) attack simply by dragging out the process of reading the server's response -- and ultimately overwhelming it.

Sergey Shekyan, senior software engineer with Qualys, also has added this new so-called Slow Read attack to his open-source slowhttptest tool.

Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.

Shekyan's Slowhttptest attack tool initially was inspired by related open-source tools Slowloris and OWASP's Slow HTTP Post. Slowloris keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, while the Slow HTTP POST distributed DoS (DDoS) tool simulates an attack using POST headers with a legitimate "content-length" field that lets the Web server know how much data is arriving. Once the headers are sent, the POST message body is transmitted slowly, thus gridlocking the connection and server resources.

[Slow HTTP attacks can be a lethal form of denial-of-service to Web servers. See Researcher To Release Free 'Slow HTTP Attack' Tool.]

Slow HTTP attacks are gaining in popularity among the bad guys as a way to quietly wage a DoS attack because these exploits are relatively easy to perform, require minimal computing resources, and often are tough to detect until it's too late.

"There are three or four ways to easily DoS an Apache server now [with the addition of Slow Read]," says an industry source who requested anonymity. "We see it fairly frequently ... It happens to the majority of our customers at least once every few months, if not more often."

Those organizations that deploy inline load balancers or rate-limiting traffic parameters are typically fairly protected from a full-blown DoS, but not all organizations have such resources to help mitigate a DoS or DDoS.

Qualys' Shekyan says attackers today are combining old-school, lower-layer SYN Flood DDoS attack methods with the application-layer ones that exploit HTTP traffic. "And the more techniques you combine in an attack, the more effective it is," he says.

He says his Slow Read attack slows down the HTTP response reading phase by exploiting the design of TCP, which keeps the connection open even if there's little or no data flowing there. And this attack is harder to detect than the Slow HTTP attack. "It's very hard to catch these attacks. If you're not monitoring your network layer, those requests look the same as your requests from legitimate clients," he says.

To successfully pull off a Slow Read DoS, the attacker must know the server's "send" buffer size and craft a smaller "receive" buffer. TCP's default server buffer size ranges from 65 KB to 129 KB, Shekyan noted. "We need to make the server generate a response that is larger than the send buffer. With reports indicating the Average Web Page Approaches 1MB, that should be fairly easy. Load the main page of the victim’s Web site in your favorite WebKit-based browser like Chrome or Safari and pick the largest resource in Web Inspector," he wrote in his proof-of-concept post.

Meanwhile, some fixes are available to various Web server DoS attacks. "But they can often be a major pain to implement. Sometimes it's changing the Web server, sometimes it's using an inline proxy, and sometimes it's just a matter of the HTTP spec being too lax," the industry source says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.