Let’s talk about the slow loris (DoS) attack

Probably with a DoS attack term, you have already familiar. The most common “Denial of Service” attacks are layer three, whose purpose is to overwhelm your service by giving it as much bandwidth as a server can’t handle; thus, service is unavailable.
It depends on motivation if a website is a relatively small e-shop, and every hour it has ten customers with $10 profits, so it leads to a loss for the owner of an online store.
Testing yourself to understand server capabilities and how much you need to invest in protecting for this bandwidth is the right mindset.

A Slow loris attack is a DoS, but it’s a layer seven attack, that doesn’t need a lot of bandwidth. So, what slow loris does is beginning to open connections, and as a new one gets freed up, someone else using the website will open that one, and that one, until they got all the connections.
You can replicate this attack on the Apache server because of the way it works. Unfortunately, Apache is ubiquitous around 38 % of websites are running on it [1].
The problem comes for a firewall or something to notice because these are valid HTTP requests just slow.

Testing

I am testing the Slow loris on the latest macOS with python. So I need to clone a script from Github repository and run it.

git clone https://github.com/gkbrk/slowloris.git
cd slowloris
./slowloris.py savenas.lt -s 300

In this case, a web server thinks that 300 people are looking at the website, when in fact, it’s got one person looking at the website slowly 300 times.
We send a little bit more data every 15 seconds. And if a socket dies, we recreate it, and we keep that going, and we’ll do this for 300 concurrent sockets, which is more than the server can handle. The default Apache configuration of concurrent connections is 150.
We might see a timeout using a browser because the server is basically won’t serve this website to me.

Photo by Roi Dimor on Unsplash

Reference

#1 https://w3techs.com/technologies/overview/web_server
#2 https://github.com/gkbrk/slowloris
#3 https://www.youtube.com/watch?v=XiFkyR35v2Y

Kibernetinio saugumo entuziastas; Aktyviausias Lietuvis TryHackMe platformoje; Inovacijų valdymo ir Antreprenerystės Magistrantas @ KTU