Researcher devises hard-to-detect denial-of-service attack against HTTP servers

Qualys software engineer devises a new type of slow HTTP DoS attack and releases tool to test it

Qualys senior software engineer Sergey Shekyan has devised a new HTTP denial-of-service (DoS) attack method which relies on prolonging the time clients need to read Web server responses.

Shekyan's method is dubbed Slow Read DoS and is based on previous research by Robert Hansen, the creator of the Slowloris HTTP DoS tool and the late Jack C. Louis, who developed Sockstress, a proof-of-concept application that applies the slow read attack concept to TCP stacks.

Unlike Slowloris, which works by slowing down HTTP requests in order to fill the Web server's concurrent connection pool and prevent it from serving legitimate clients, Shekyan's Slow Read DoS attack works by slowing down the server's responses.

"The idea of the attack I implemented is pretty simple: Send a legitimate HTTP request and read the response slowly, aiming to keep as many connections as possible active," Shekyan said.

In order to achieve this, the size of the server's response must be larger than what its send buffer can hold at any given time. Large responses are split into smaller chunks and get sent individually.

The second requirement is to keep the server's send buffer full for a long period with other data chunks pending in order to keep the connection with the client active. This is done by reducing the client's ability to receive data to a value that is smaller than the server's send buffer.

"TCP doesn't advertise the server's send buffer size, but we can assume that it is the default value, which is usually between 65Kb and 128Kb. There's normally no need to have a send buffer larger than that," Shekyan explained.

In order to force a large-enough response, the client must request a resource bigger than 128Kb. Finding a file that size hosted on the server shouldn't be difficult in most cases, but even if there isn't one, if the server supports HTTP pipelining - and most do - the same effect can be achieved by requesting a smaller resource multiple times.

This is similar to how tools like Sockstress and Nkiller2 work, but while they use specially crafted TCP packets and target raw sockets, Shekyan's method applies the concept to HTTP servers.

The software engineer implemented his attack technique into the latest version of slowhttptest, an open source slow DoS test application developed at Qualys. "We still think it's worthwhile to have a configurable tool to help people focus and design defense mechanisms, since this vulnerability still exists on many systems three years after it was first discovered, and I consider Slow Read DoS attacks are even lower profile and harder to detect than slowloris and slow POST attacks," Shekyan said.

Administrators who wish to test whether their servers are vulnerable to Slow Read DoS, but don't want to actively attack them with slowhttptest, should check if they accept initial SYN packets with an abnormally small advertised window, if they don't send RST or FIN after 30 seconds when recipients can't accept the data and if persistent connections (keep-alive) or HTTP pipelining are enabled. "If all three conditions are met, we can assume the server is vulnerable to Slow Read DoS attack," Shekyan said.

According to Shekyan, HTTP servers like Apache, nginx, lighttpd and IIS 7.5 are vulnerable in their default configuration. Fortunately, some of them have built-in protection that can be turned on, while others have modules capable of enforcing the necessary restrictions to mitigate the attacks.

"Apache is vulnerable in its default configuration, but MPM Event, for example, handles slow requests and responses significantly better than other modules, but falls back to worker MPM behavior for SSL connections. Mod_security supports attributes to control how long a socket can remain in read or write state," Shekyan said.

Show Comments