A new way of DoS attack has been released recently, called the Slowloris HTTP DoS, dubbed “the low bandwidth, yet greedy and poisonous HTTP client".
Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing.
In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets.
But the brilliance of the attack, is in the next part.
Slowloris also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host.
But most importantly, while the attack is underway, the log file won’t be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might be watching in that instant.
Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That’s unavoidable as Slowloris sites today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but Slowloris doesn’t yet do that.
While there are already work-arounds available, I can see this spread major havoc among large websites, especially for the small footprint this attack leaves behind.
It’s virtually impossible to detect immediately.