Glossar / Slowloris

Slowloris

  • Fabian Sinner
  • December 4, 2024

Content

Slowloris

Slowloris is a type of DDoS attack in which the attacker attempts to overload a web server by holding multiple concurrent connections. The attack works by the attacker opening a connection to the server and sending an HTTP request, but intentionally making it incomplete. The server waits for the request to become complete and keeps the connection open as a result. 

Since the server can handle a limited number of concurrent connections, the Slowloris attack slowly fills up those connections until it can no longer accept new connections. This renders the server inaccessible to legitimate requests without crashing it completely or giving it a clear indication that an attack is taking place. 

How does a Slowloris attack work?

A Slowloris attack works by flooding a web server with half-open connections, exhausting the server’s resources without using large amounts of bandwidth.  

  1. Opening a connection:

The attacker connects to a web server and starts a normal HTTP request. For example, they send the header “GET / HTTP/1.1”, which normally requests the server to load a web page. 

  1. Request remains incomplete:

Instead of quickly completing the request, the attacker sends the remaining HTTP headers very slowly and in pieces. Each new header line is sent at very long time intervals (e.g., every few seconds) to keep the web server busy. 

  1. Server keeps connection open:

The server waits for the entire HTTP request to be received before sending a response. Since the request remains incomplete, the server keeps the connection open and reserves resources to wait for the complete request. 

  1. Multiple connections are opened:

The attacker repeats this process many times by maintaining several half-open connections. Since web servers can only handle a limited number of simultaneous connections, these half-open connections cause the server to reach its capacity and reject new connections (including legitimate ones). 

  1. Server overload:

Once the server has reached the maximum number of connections, it is no longer able to process new requests. This results in the server being inaccessible to legitimate users, even though it is technically still running. Unlike other types of DoS attacks, this one doesn’t consume a lot of bandwidth or processing power. 

What are the objectives of a Slowloris attack?

The objectives of a Slowloris attack can be explained primarily in terms of how the attack works and what effects it has. Essentially, a Slowloris attack aims to impair the availability of a web server without using a lot of resources or bandwidth.  

Denial of Service (DoS) – blocking server availability: 

The primary goal of a Slowloris attack is to tie up a web server’s resources to the point where it can no longer accept further connections from legitimate users. The attacker achieves this by “clogging” the server with many half-open connections, causing it to reject new connections. This results in a denial of service (DoS), whereby the server continues to run but is no longer able to respond to real requests. 

Exhaust server resources: 

The attack aims to overload the web server’s resources, especially processing resources (such as CPU and memory), by forcing the server to maintain many half-open connections. This can cause the server to become unstable or severely affect its performance. 

Low profile attack: 

Another goal of the Slowloris attack is to be as inconspicuous as possible. Since Slowloris uses only a small amount of bandwidth and slow requests, the attack often goes unnoticed, especially compared to traditional DDoS attacks, which are noticeable due to massive amounts of data. This allows attackers to exhaust server resources without it being immediately clear that an attack is taking place. 

Targeted attack on specific services: 

Slowloris often targets specific services that are particularly vulnerable to this type of attack, e.g., web servers like Apache that keep connections open for long periods of time. The attack focuses on individual servers or services without affecting the entire network or other infrastructure components. 

Low effort for the attacker: 

Another goal for the attacker is to achieve maximum impact with minimal effort. Since Slowloris requires little bandwidth and does not need significant infrastructure for the attack, even individuals with simple means can carry out such attacks. 

Cause economic damage: 

The attack can interrupt the operation of a website or web service, which can result in significant economic losses, especially for commercial websites (e.g. ,online shops, financial service providers). Even short periods of downtime can affect customer confidence and lead to a loss of sales. 

Testing security vulnerabilities: 

An attacker can also use a Slowloris attack to test the security of a web server. If the server is vulnerable to Slowloris, this indicates inadequate security configurations. The attacker can thus identify vulnerabilities that can later be exploited for other types of attacks. 

How can you protect yourself from a Slowloris attack?

To protect yourself from a Slowloris attack, there are several measures that can be implemented both at the server configuration level and through network protection mechanisms. An important protective measure is to limit the number of simultaneous connections per IP. This prevents a single IP address from keeping too many connections open.  

In addition, it may be useful to reduce the timeout times for connections in order to reject slow or incomplete requests more quickly. Reducing keep-alive timeouts also helps to ensure that resources are released more quickly and that the server is not overloaded. 

At the network protection level, firewalls and rate limiting play central roles. A firewall can be configured to limit the number of concurrent connections per IP address and to block unusually slow or repeated requests. The use of reverse proxies and load balancers is another effective method of protection against Slowloris attacks. These systems act as a buffer between the web server and the incoming connections and close incomplete connections more quickly. Reverse proxies can also distribute the traffic so that individual servers are not overloaded. 

Special server modules can also help to ward off slowloris attacks. For Apache servers, the mod_reqtimeout module can be used to set time limits for incoming requests and to terminate slow connections at an early stage. Similarly, corresponding settings can be made for Nginx to detect and block suspicious requests. 

The use of Content Delivery Networks (CDNs) offers additional protection, as CDNs distribute traffic across multiple servers worldwide, which helps to mitigate this type of attack. These networks act as a buffer and filter out malicious requests before they reach the actual web server. 

Another protective mechanism is the continuous monitoring of the server. With the help of monitoring tools, unusual connection activity can be quickly detected. Sudden increases in the number of half-open connections can be detected early and appropriate countermeasures initiated. Regular checks of log files help to identify and stop suspicious activity in a timely manner. 

Combining these measures can significantly increase protection against Slowloris attacks and reduce the likelihood of a server falling victim to such an attack. 

Proven protection against such attacks

Are you looking for reliable protection against Slowloris? Then you’ve come to the right place with our security experts, who will work with you to find the ideal solution for your specific case.

Contact us now >>

Critical Infrastructures in the crosshairs – How do energy operators, banks and airports protect themselves against DDoS attacks? 
Record Number of Cyber Attacks over Black Friday Weekend
X