Slowloris DDoS Attack: Definition, Damage & Defense

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

A Slowloris attack is remarkably dangerous. Hackers don't need an army of computers or significant bandwidth. With a little code and some spare time, they can take down a server and keep it there.

Count every item on this webpage, from the logo to the footer to the headline to the illustrations. Now, imagine asking for each element individually. Finally, put several seconds between each request you make.

You've just envisioned a Slowloris attack.

Rather than requesting every item on a page at once, hackers split up their commands. The server can't complete the request, and in time, it crashes.

Where Did the Slowloris Attack Originate?

Any webpage you see renders through a series of HTTP requests. During a Slowloris attack, hackers extend their requests and make them impossible to close. 

Anytime you visit a website, your web browser and a server start a conversation. You ask for elements on the page with a command, and the server delivers what you've requested. A server can neither initiate nor close a request. Your web browser does that work. 

In the mid-2000s, a hacker named RSnake realized this HTTP vulnerability could allow one hacker working on one machine to take down an entire web server. And that hacker wouldn't need a lot of bandwidth to make it work. Slowloris was born. 

The technique may seem simple, but it's remarkably powerful. In 2009, for example, hackers used Slowloris to take down multiple websites in Iran.  

The goal of the Slowloris is to bombard a server with multiple requests. In time, the server has too many open demands, and it crashes under the pressure. 

A typical attack follows this sequence:

  • Download code. A hacker needs help to make the Slowloris work, but the code is readily available online
  • Open the connection. The hacker sends many partial HTTP requests. The target opens a thread for each request. 
  • Pause the conversation. The attacker lengthens responses, sending back an update just frequently enough to keep the connection open. 
  • Open more connections. If the server continues to respond, the hacker sends more requests. 

Servers can't handle an indefinite amount of conversation. At some point, they will crash under the pressure of multiple, open requests. This denial of service attack lasts until the server terminates the conversation. 

Unless you catch it, a Slowloris attack can last indefinitely. And these problems are hard to spot. The traffic may seem slow, but it looks normal enough that it could slip past detection devices. The packets won't look malformed. They're just incomplete. 

Some web servers, including Apache and Microsoft IIS, are particularly vulnerable to the Slowloris.  

Can You Prevent a Slowloris Attack?

HTTP requests are foundation elements. You must accept them, or all of your web-based assets won't render for your employees or customers. Some vulnerability to Slowloris attacks is built into any system that runs online. 

But there are mitigation steps available, including:

  • Proxy servers. Place a tool in front of your vulnerable servers to handle requests like this. A proxy could buy you time while you fight back. 
  • Enhancements. Dig into your setup and allow your server to take on more connections.
  • Limitations. Restrict how many connections you'll allow from one IP address, and use a timer to cut off requests that take too long to complete. 
  • Restrictions. Don't allow slow transfer connections to your server. 

Despite your best work, you may experience at least one Slowloris attack. When you do, reset all of your connections and talk with your hosting provider immediately. You may need to reset preferences quickly so you can limit how long your site stays down.

Okta Can Help

We know that even thinking about a downed website makes you feel nervous, scared, and angry. A good offense is better than any well-planned defense. Work with a company that has years of experience in helping customers fend off threats. Contact Okta and see how we can help you.

References

An Overview of HTTP. (February 2021). Mozilla. 

Slowloris HTTP DoS. (April 2015). Ha.Ckers. 

Slowloris and Iranian DDoS Attacks. (June 2009). InfoSec. 

Performing a Genuine Slowloris Attack (SlowHTTP) of Indefinite Length in Kali Linux. (June 2019). Our Code World. 

Slowloris (Computer Security): Boring a Server to Death. (June 2019). Dev.