'Slow read' webserver DoS attack; just 1 PC suffices according to new developed PoC.

Discussion in 'other security issues & news' started by Baserk, Jan 7, 2012.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Apr 14, 2008
    Sergey Shekyan from Qualsys Security Labs has developed a PoC showing that one PC can suffice to perform a DoS attack against a webserver while the chance of detection is relatively low.

    "While developing the slowhttptest tool, I thought about this burger scenario, and became curious about how HTTP servers react to slow consumption of their responses. There are so many conversations about slowing down requests, but none of them cover slow responses. After spending a couple of evenings implementing proof-of-concept code, I pointed it to my so-many-times-tortured Apache server and, surprisingly, got a denial of service as easily as I got it with slowloris and slow POST.

    Let me remind you what slowloris and slow POST are aiming to do: A Web server keeps its active connections in a relatively small concurrent connection pool, and the above-mentioned attacks try to tie up all the connections in that pool with slow requests, thus causing the server to reject legitimate requests, as in first reastaurnt scenario.

    The idea of the attack I implemented is pretty simple: Bypass policies that filter slow-deciding customers, send a legitimate HTTP request and read the response slowly, aiming to keep as many connections as possible active. Sounds too easy to be true, right?

    Ars Technica link, Qualys.com blog link
Thread Status:
Not open for further replies.