Slow Lori attack on the Apache web server
Slow Lori is an animal living in southeastern Asia and known for its slowness and measured movements. According to it, a new DoS and DDoS attack on the Apache web server was named.
This type of attack was made public by the RSnake Security Specialist on June 17 and described in detail at http://ha.ckers.org/blog/20090617/slowloris-http-dos
')
The attack consists in very slow sending of new and new HTTP headers within one HTTP request, never completing it.
Since Apache allocates resources for a request very early, a “full-fledged” number of resources is spent on one such request. Same as for a regular query.
As you know, Apache uses for processing requests or processes or a mixture of processes with threads. Using threads will allow you to postpone death, but somehow Apache will rest on a memory limit or a limit set by the administrator.
What is most unpleasant, the Slowlori attack leaves no trace, except for the huge number of open connections with the status ESTABLISHED. There will be no entries even in access_log.
Initially, Apache developers did not respond very actively to the RSnake message on the mailing list, responding that this attack has long been known and is a drawback not of the web server itself, but rather of the TCP stack. However, in the future, the Apache web server developers began to move and began to actively discuss ways to solve the problem.
Web servers based on the state machine are not subject to this attack. Thus, the easiest way to protect yourself from a Slowlori attack is to use a two-tier architecture, when the first on the path is a web \ proxy server based on a state machine, such as nginx.
Other possible solutions are Access HTTP filters in FreeBSD, the use of tricky firewall rules, which at the same time can cut off legitimate slow users.
In addition to actually changing the architecture, Apache developers agree on the need to implement smaller, local timeouts. Currently, Apache 2.2 implements a single timeout affecting almost all IO actions.
More information can be found on the httpd-dev mailing list and in an article that is not yet open to public access on the LWN.
This type of attack was made public by the RSnake Security Specialist on June 17 and described in detail at http://ha.ckers.org/blog/20090617/slowloris-http-dos
')
The attack consists in very slow sending of new and new HTTP headers within one HTTP request, never completing it.
Since Apache allocates resources for a request very early, a “full-fledged” number of resources is spent on one such request. Same as for a regular query.
As you know, Apache uses for processing requests or processes or a mixture of processes with threads. Using threads will allow you to postpone death, but somehow Apache will rest on a memory limit or a limit set by the administrator.
What is most unpleasant, the Slowlori attack leaves no trace, except for the huge number of open connections with the status ESTABLISHED. There will be no entries even in access_log.
Initially, Apache developers did not respond very actively to the RSnake message on the mailing list, responding that this attack has long been known and is a drawback not of the web server itself, but rather of the TCP stack. However, in the future, the Apache web server developers began to move and began to actively discuss ways to solve the problem.
Web servers based on the state machine are not subject to this attack. Thus, the easiest way to protect yourself from a Slowlori attack is to use a two-tier architecture, when the first on the path is a web \ proxy server based on a state machine, such as nginx.
Other possible solutions are Access HTTP filters in FreeBSD, the use of tricky firewall rules, which at the same time can cut off legitimate slow users.
In addition to actually changing the architecture, Apache developers agree on the need to implement smaller, local timeouts. Currently, Apache 2.2 implements a single timeout affecting almost all IO actions.
More information can be found on the httpd-dev mailing list and in an article that is not yet open to public access on the LWN.
Source: https://habr.com/ru/post/62980/
All Articles