Slowloris and Iranian DDoS attacks
Last Updated: 2009-06-23 08:46:42 UTC
by Bojan Zdrnja (Version: 1)
In last couple of days we posted two diaries (http://isc.sans.org/diary.html?storyid=6601 and http://isc.sans.org/diary.html?storyid=6613) with information about Slowloris, a tool that was released last week that performs a resource exhaustion DoS attack on Apache web servers.
There has been a lot of chat about the tool on the web, so it was just a matter of time when we would see it using in real DoS attacks. Last week I posted a diary about two groups launching DDoS attacks on Iranian web sites (http://isc.sans.org/diary.html?storyid=6583). Both of these attacks were relatively simple and used existing, old tools for performing DoS attacks.
However, over the weekend some forums and web sites asking people to run DDoS attacks "expanded" their selection of tools by including Slowloris – nothing we didn't really expect to see.
Regarding Slowloris, we received a lot of information from our readers about various scenarios when Slowloris does and does not work. First of all, Adrian Ilarion Ciobanu posted several diary comments pointing to his written two years ago describing similar attack to Slowloris. Adrian posted some interesting stuff too about Apache DoS attacks at http://pub.mud.ro/~cia/computing/apache-httpd-denial-of-service-example.html. Frank Breedijk wrote in to say that he tested Slowloris with Cisco CSS load balancers which appear to be immune.
Finally, an unofficial patch has been released at http://synflood.at/tmp/anti-slowloris.diff - I haven't tested it but the patch is supposed to dynamically change the TimeOut value depending on the load (which depends on the number of Apache processes that are currently processing HTTP requests).