How ModShield Prevents Slowloris Attacks ?

How ModShield Prevents Slowloris Attacks ?

May 13, 2024
Slowloris DDos attacks

Defending Against Slowloris: How ModShield prevents DDoS Attacks

What is a Slowloris DDoS Attack?

The Slowloris attack is a denial of service attack that affects web servers by keeping connections open for as long as possible. Robert “RSnake” Hansen developed it, and it is particularly noteworthy due to its ability to bring a server down using minimal resources from the attacker’s end.

The goal of this kind of cyber assault was to create a large number of concurrent TCP connections to a target FQDN, generate a low rate and volume of HTTP requests or HTTP connections per linked session, and overwhelm a single machine, web server, database, or API. Specific malicious IP addresses will initiate numerous TCP connection attempts and utilize the extra open connections or sessions, combining incoming requests to deplete database or application resources.

How does it work?

Slowloris operates by initiating connections to the target web server and sending partial requests. The attack is designed never to complete the requests. It keeps the connections open by sending header lines periodically, which prevents the server from closing the connection due to inactivity. As a result, servers keep waiting for the headers of the HTTP request to finish. When Slowloris consumes all the available connections, legitimate users cannot establish a connection, leading to a denial of service. Attackers use Slowloris attacks to expose security vulnerabilities, protest, or seek revenge. These attacks are easy to execute and cause significant disruption, making them a continued threat in the cyber world.

Why do Slowloris DDoS attacks occur?

Slowloris DDoS attacks occur primarily because they provide an efficient method for an attacker to disrupt web service operations with minimal resources. By exploiting limitations in how web servers handle simultaneous connections, these attacks can be executed quietly, making them more challenging to detect and address promptly. The simplicity and stealth of Slowloris attacks make them a popular choice for a range of actors with malicious intent, including those looking to cause harm for ideological reasons, those seeking to extort businesses by crippling their online services, or even rival companies looking to undermine competitors.

Here’s a step-by-step breakdown of the Slowloris mechanism:

  • Initiate Connections: Slowloris begins by making multiple connections to the target server.
  • Send Partial Headers: It sends a partial HTTP request and doesn’t complete it.
  • Maintain Connections: The attacker periodically sends additional HTTP headers but not the end of the request.
  • Consumption of Server Slots: Slowloris takes up a slot on the web server with each connection it makes, eventually using up all of the slots.
  • Denial of Service: Genuine users cannot connect as no free slots are available, causing a denial of service.

How are Slowloris Attacks Different from Other DoS Attacks?

Slowloris attacks differ from other forms of Denial of Service (DoS) attacks in several key ways:

Tactical Subtlety

  • Low Bandwidth: Slowloris doesn’t flood the target with massive traffic, which typically characterizes volumetric DoS attacks. Instead, it uses minimal bandwidth and can be conducted with a single machine.
  • Less Noise: Due to its low footprint, Slowloris attacks can be more challenging to detect with conventional network traffic monitoring tools, as they do not cause significant spikes in traffic.

Target Specificity

  • Focused Impact: While many DoS attacks aim to saturate the entire network or various network components, Slowloris is designed to target web servers specifically, affecting the web server’s ability to establish new connections without necessarily impacting other services or ports on the network.

Resource Exhaustion Technique

  • Connection Saturation: Slowloris’s primary goal is to exhaust the server’s connection pool. It holds as many connections to the web server open for as long as possible rather than overwhelming the server with large volumes of data.

Server limitation

Server Resources: Slowloris occupies threads or processes that handle incoming connections on the web server by keeping connections open. This differs from bandwidth-intensive attacks that aim to saturate the network’s capacity.

How to mitigate Slowloris attack?

Mitigating a Slowloris attack involves a combination of preventive measures and configuration adjustments to your server:

Reduce Timeout Values: Adjust your server’s timeout settings. Lower the time it takes for your server to close a connection if it’s incomplete, making it harder for Slowloris to maintain its connections.

Increase Connection Limits: Increase the maximum number of concurrent connections your server can handle. This makes it more difficult for an attacker to use all available connections, but this must be done cautiously to avoid overloading the server with legitimate traffic.

Use Load Balancers: Deploy load balancers that can distribute traffic across multiple servers, effectively increasing your capacity to handle incoming connections and identify malicious traffic patterns.

Employ Rate Limiting: Set up rate limiting to control the rate at which connections and requests are accepted. This can reduce the efficacy of a Slowloris attack.

Apply Firewall Rules: Configure firewall rules to detect and block IPs opening connections without sending complete requests within a specific timeframe.

Install DDoS Mitigation Tools: Use specialized DDoS mitigation hardware or software to recognize and respond to Slowloris and other DDoS attacks.

Keep Software Updated: Regularly update your server software to the latest versions, which may include patches for known vulnerabilities that a Slowloris attack could exploit.

Connection Tracking: Implements connection tracking at the network edge to identify and block malicious sources, maintaining numerous concurrent connections.

How does Modshield SB prevent DDoS and Slowloris attacks?

The DDoS Protection feature of Modshield SB filters all incoming traffic to prevent layer seven attacks like slowloris from reaching origin servers. By customizing these rules, Modshield can enforce limitations on HTTP protocol usage, such as the size and structure of payloads, the rate of requests, and the length of sessions. It can detect and prevent Slowloris attacks by identifying and dropping connections that hold onto resources without completing their requests within a specified time limit.

Modshield SB protects networks, websites, DNS servers, and individual IP addresses against the most potent and sophisticated DDoS attacks, including network, protocol, and application-level attacks, with the slightest disturbance to business operations. Cloud-based technology prevents monetary losses and significant reputational harm by maintaining online organizations’ high-performance levels despite attacks.

To safeguard vital applications, APIs, data, and networks, Modshield SB provides an extensive range of defense-in-depth security solutions with several lines of defense. It offers protection against all application-layer assaults and includes the web application firewall (WAF), advanced bot prevention, DDoS protection, API security, and more.

Experience ultimate website security with Modshield SB WAF - Protect Today!

Experience ultimate website security with Modshield SB WAF - Protect Today!

Stay protected from cyber threats with Modshield SB (WAF) - Your first line of defense for application security.