Slowloris HTTP DoS: Be Afraid, Be Very Afraid

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, June 21, 2009

Follow me on Twitter as @mattiasgeniar

A new way of DoS attack has been released recently, called the Slowloris HTTP DoS, dubbed “the low bandwidth, yet greedy and poisonous HTTP client".

Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing.

In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets.

But the brilliance of the attack, is in the next part.

Slowloris also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host.

But most importantly, while the attack is underway, the log file won’t be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might be watching in that instant.

Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That’s unavoidable as Slowloris sites today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but Slowloris doesn’t yet do that.

While there are already work-arounds available, I can see this spread major havoc among large websites, especially for the small footprint this attack leaves behind.

It’s virtually impossible to detect immediately.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.