Researcher devises hard-to-detect denial-of-service attack against HTTP servers

Qualys software engineer devises a new type of slow HTTP DoS attack and releases tool to test it

Qualys senior software engineer Sergey Shekyan has devised a new HTTP denial-of-service (DoS) attack method which relies on prolonging the time clients need to read Web server responses.

Shekyan's method is dubbed Slow Read DoS and is based on previous research by Robert Hansen, the creator of the Slowloris HTTP DoS tool and the late Jack C. Louis, who developed Sockstress, a proof-of-concept application that applies the slow read attack concept to TCP stacks.

Unlike Slowloris, which works by slowing down HTTP requests in order to fill the Web server's concurrent connection pool and prevent it from serving legitimate clients, Shekyan's Slow Read DoS attack works by slowing down the server's responses.

"The idea of the attack I implemented is pretty simple: Send a legitimate HTTP request and read the response slowly, aiming to keep as many connections as possible active," Shekyan said.

In order to achieve this, the size of the server's response must be larger than what its send buffer can hold at any given time. Large responses are split into smaller chunks and get sent individually.

The second requirement is to keep the server's send buffer full for a long period with other data chunks pending in order to keep the connection with the client active. This is done by reducing the client's ability to receive data to a value that is smaller than the server's send buffer.

"TCP doesn't advertise the server's send buffer size, but we can assume that it is the default value, which is usually between 65Kb and 128Kb. There's normally no need to have a send buffer larger than that," Shekyan explained.

In order to force a large-enough response, the client must request a resource bigger than 128Kb. Finding a file that size hosted on the server shouldn't be difficult in most cases, but even if there isn't one, if the server supports HTTP pipelining - and most do - the same effect can be achieved by requesting a smaller resource multiple times.

This is similar to how tools like Sockstress and Nkiller2 work, but while they use specially crafted TCP packets and target raw sockets, Shekyan's method applies the concept to HTTP servers.

The software engineer implemented his attack technique into the latest version of slowhttptest, an open source slow DoS test application developed at Qualys. "We still think it's worthwhile to have a configurable tool to help people focus and design defense mechanisms, since this vulnerability still exists on many systems three years after it was first discovered, and I consider Slow Read DoS attacks are even lower profile and harder to detect than slowloris and slow POST attacks," Shekyan said.

Administrators who wish to test whether their servers are vulnerable to Slow Read DoS, but don't want to actively attack them with slowhttptest, should check if they accept initial SYN packets with an abnormally small advertised window, if they don't send RST or FIN after 30 seconds when recipients can't accept the data and if persistent connections (keep-alive) or HTTP pipelining are enabled. "If all three conditions are met, we can assume the server is vulnerable to Slow Read DoS attack," Shekyan said.

According to Shekyan, HTTP servers like Apache, nginx, lighttpd and IIS 7.5 are vulnerable in their default configuration. Fortunately, some of them have built-in protection that can be turned on, while others have modules capable of enforcing the necessary restrictions to mitigate the attacks.

"Apache is vulnerable in its default configuration, but MPM Event, for example, handles slow requests and responses significantly better than other modules, but falls back to worker MPM behavior for SSL connections. Mod_security supports attributes to control how long a socket can remain in read or write state," Shekyan said.

Join the CSO newsletter!

Error: Please check your email address.

More about ApacheQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place