29 April 2013
Comments: Comments Off on Mitigate Slowloris attack

Mitigate Slowloris attack

Slowloris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

Detecting Slowloris attack

You can use the below commands to detect the slowloris attack. It shows number of HTTP connections per IP. If any IP has more than 50 connections then there are chances that you are under attack.

netstat -an | awk '$4 ~ /:80$/{ print $5 }' | cut -f1 -d":" | sort | uniq -c | sort -n

Affected Web Servers

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer
  • WebSense “block pages” (unconfirmed)
  • Trapeze Wireless Web Portal (unconfirmed)
  • Verizon’s MI424-WR FIOS Cable modem (unconfirmed)
  • Verizon’s Motorola Set-top box (port 8082 and requires auth – unconfirmed)
  • BeeWare WAF (unconfirmed)
  • Deny All WAF (unconfirmed)

Solution:
You can use any one of the below solutions to mitigate the slowloris attack.

Using IPTables

More than 50 connections from any IP will be dropped and reset.

iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 --connlimit-mask 40 -j DROP

AntiSlowloris Apache Module

You can download the AntiSlowloris module here and install it

wget ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.4.tar.bz2
tar xjvf mod_antiloris-0.4.tar.bz2
cd mod_antiloris-0.4
apxs -cia mod_antiloris.c
/etc/init.d/httpd restart

To verify it’s installed properly run the below command

#httpd -M | grep antiloris
antiloris_module (shared)

ModSecurity Rule

Below ModSecurity rule will help mitigating Slowloris attack

SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'1234123457'"

Comments are closed.