Single Computer DoS – Slow Loris Attack

Usually, hackers use a lot of computers (or toasters) to take down a server by overwhelming it with traffic. However, the same goal can sometimes be achieved with a single computer. In this article, I’m going to analyze my favorite denial of service attack known as Slow Loris attack and python code implementation from github. I found and tested 2 python Slow Loris scripts from the same author – advanced one which is ready for randomizing User Agent headers, proxies, SSL and other good stuff. However, this code is more appropriate to illustrate the idea behind the attack, and works just as well. It can be run on any operating system that supports python.

This article is for academic and entertainment purposes only. Please don’t use it maliciously.

Theory

In a clients-server HTTP connection, end of a HTTP packet is marked with 2 consecutive newline characters ([CRLF]). If those 2 characters never come, sending/receiving of the HTTP packet is not going to end. The idea in Slow Loris attack is to open as many concurrent HTTP requests and keep them alive infinitely (with minimum resources) to deplete the resources in the application layer on the server because it has to wait for every connection.

While most servers such as Apache make use of a timeout to terminate incomplete HTTP requests – the timeout is set to 300 seconds by default and is re-set as soon as the client sends additional data. That’s why the attacker does send some data, but painfully slowly – hence the name.

Slow Loris achieves DoS by starting many concurrent HTTP connections and sending a byte of data every 15 seconds. Of course, timing should be adjusted in relation to timeout on a specific server, but it’s often effective even with 15 seconds timeout. Because attacker’s computer sends only few bytes per 15 seconds per connection, some servers can go down while the attacker uses his internet as if nothing’s going on.

Affected Servers

This attack mostly affects apache webservers because of the fact that apache starts a new thread for each connection. That is the key factor that makes the difference of attack succeeding or not. Unless of course, someone implemented a mitigation for this type of attack.

Today, about 50% of websites are hosted on apache servers. Along with some other servers, it makes it a very useful attack for a hacker to include in his arsenal.

Also, apache webservers can easily be found with Google’s search functionalities, e.g.

Python Implementation

Program gets the target server IP or DNS name as a command line argument. Here’s how it should look like (I set socket_count to 5 to avoid any trouble):

First, it opens a number of HTTP connections equal to socket_count (integer from 20^th line) . Then, it starts an infinite while loop that keeps those connections alive by sending a random number (1 to 5000) each 15 seconds (specified in 58^th line), resetting the timeout period.

Conclusion

I highly recommend testing your websites because it’s so easy. If it works, it’s going to take a few minutes to cause a DoS. If it doesn’t, try increasing the socket_count as much as your PC can handle. Also, don’t forget to optimize the timeout period. Depending on attacker’s bandwitdth, it may take more than 1 computer to take down some vulnerable sites.

Hopefully, this attack will get more attention and more people will start protecting their servers. Luckily, there are many tutorials that make securing against this type of attack pretty straightforward.