Attacks/Breaches
1/5/2012
03:51 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

New Denial-Of-Service Attack Cripples Web Servers By Reading Slowly

'Slow Read' proof-of-concept and tool released Thursday

A researcher today published proof-of-concept code that takes a different spin on the slow HTTP denial-of-service (DoS) attack simply by dragging out the process of reading the server's response -- and ultimately overwhelming it.

Sergey Shekyan, senior software engineer with Qualys, also has added this new so-called Slow Read attack to his open-source slowhttptest tool.

Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.

Shekyan's Slowhttptest attack tool initially was inspired by related open-source tools Slowloris and OWASP's Slow HTTP Post. Slowloris keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, while the Slow HTTP POST distributed DoS (DDoS) tool simulates an attack using POST headers with a legitimate "content-length" field that lets the Web server know how much data is arriving. Once the headers are sent, the POST message body is transmitted slowly, thus gridlocking the connection and server resources.

[Slow HTTP attacks can be a lethal form of denial-of-service to Web servers. See Researcher To Release Free 'Slow HTTP Attack' Tool.]

Slow HTTP attacks are gaining in popularity among the bad guys as a way to quietly wage a DoS attack because these exploits are relatively easy to perform, require minimal computing resources, and often are tough to detect until it's too late.

"There are three or four ways to easily DoS an Apache server now [with the addition of Slow Read]," says an industry source who requested anonymity. "We see it fairly frequently ... It happens to the majority of our customers at least once every few months, if not more often."

Those organizations that deploy inline load balancers or rate-limiting traffic parameters are typically fairly protected from a full-blown DoS, but not all organizations have such resources to help mitigate a DoS or DDoS.

Qualys' Shekyan says attackers today are combining old-school, lower-layer SYN Flood DDoS attack methods with the application-layer ones that exploit HTTP traffic. "And the more techniques you combine in an attack, the more effective it is," he says.

He says his Slow Read attack slows down the HTTP response reading phase by exploiting the design of TCP, which keeps the connection open even if there's little or no data flowing there. And this attack is harder to detect than the Slow HTTP attack. "It's very hard to catch these attacks. If you're not monitoring your network layer, those requests look the same as your requests from legitimate clients," he says.

To successfully pull off a Slow Read DoS, the attacker must know the server's "send" buffer size and craft a smaller "receive" buffer. TCP's default server buffer size ranges from 65 KB to 129 KB, Shekyan noted. "We need to make the server generate a response that is larger than the send buffer. With reports indicating the Average Web Page Approaches 1MB, that should be fairly easy. Load the main page of the victim’s Web site in your favorite WebKit-based browser like Chrome or Safari and pick the largest resource in Web Inspector," he wrote in his proof-of-concept post.

Meanwhile, some fixes are available to various Web server DoS attacks. "But they can often be a major pain to implement. Sometimes it's changing the Web server, sometimes it's using an inline proxy, and sometimes it's just a matter of the HTTP spec being too lax," the industry source says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web