Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP attacks are easy to execute because they require only minimal resources from the attacker.
Attack exploits the fact that most of modern web servers are not limiting the connection duration if there is a data flow going on, and with possiblity to prolong TCP connection virtually forever with zero or minimal data flow by manipulating TCP receive window size value, it is possible to acquire concurent connections pool of the application. Possibility to prolong TCP connection is described in several vulnerability reports: MS09-048, CVE-2008-4609, CVE-2009-1925, CVE-2009-1926 .
Prerequisites for the successful attack are: - victim server should accept connections with advertised window smaller than server socket send buffer, the smaller the better – attacker needs to request a resource that doesn't fit into server's socket send buffer, which is usually between 64K and 128K. To fill up server socket's send buffer for sure, consider using HTTP pipelining (-k argument of slowhttptest)
slowhttptest controls the incoming data rate by manipulating receive buffer size through SO_RCVBUF socket option and by varying reading rate from it by application. Note, that different operating systems might have different behavior. For example, OSX uses the value we set SO_RCVBUF to in initial SYN packet, while Linux systems double this value (to allow space for bookkeeping overhead) when it is set using setsockopt. Minimum doubled value for Linux systems is 256 or the first value of /proc/sys/net/ipv4/tcp_rmem, whichever is larger. Also, changing receive buffer size on OSX doesn't work if connecting to localhost.
For SSL connections, slow reading from receive buffer engages after SSL handshake is finished. However, as initial window size is smaller than usual, handshake might require more TCP packets and last longer than usual.
- https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
- http://ha.ckers.org/slowloris/
- ModReqtimeout (Recommended) : Source 1, Source 2 , sourcecode
- ModQoS (most effective after testing): Source 1
- ModSecurity : Source 1 , Source 2 , sourcecode
LoadModule reqtimeout_module /usr/lib64/httpd/modules/mod_reqtimeout.so
# Wait max 10 seconds for the first byte of the request line+headers
# From then, require a minimum data rate of 500 bytes/s, but don't
# wait longer than 20 seconds in total.
RequestReadTimeout header=10-20,minrate=500
# Wait max 10 seconds for the first byte of the request body (if any)
# From then, require a minimum data rate of 500 byte/s.
RequestReadTimeout body=10,minrate=500
Result : stopped the attac after 10 seconds , but allowed to atackker te retry after x time
LoadModule qos_module /usr/lib64/httpd/modules/mod_qos.so
<IfModule mod_qos.c>
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body (careful, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400
</IfModule>
Result : most effective, stopped the atack after 1 second and stopt the attacker from using the same ip again
exampel log files afther attack :
[Fri Feb 14 13:37:06 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:06 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:06 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:06 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=350, this connection=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=350, this connection=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers
[Fri Feb 14 13:37:07 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied (previously), QS_SrvMaxConnPerIP rule: max=50, concurrent connections=49, message repeated 0 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:07 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, message repeated 20 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=342, this connection=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers
[Fri Feb 14 13:37:08 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=342, this connection=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers
[Fri Feb 14 13:37:08 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=342, this connection=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=342, this connection=51, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:08 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers
[Fri Feb 14 13:37:08 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers
[Fri Feb 14 13:37:08 2014] [error] mod_qos(031): access denied (previously), QS_SrvMaxConnPerIP rule: max=50, concurrent connections=47, message repeated 16 times, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:09 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=334, this connection=57, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:09 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=334, this connection=60, c=2a02:1800:1e1:6001::701:a1
[Fri Feb 14 13:37:09 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers, referer: http://code.google.com/p/slowhttptest/
[Fri Feb 14 13:37:09 2014] [error] [client 2a02:1800:1e1:6001::701:a1] request failed: error reading the headers, referer: http://code.google.com/p/slowhttptest/
[Fri Feb 14 13:37:09 2014] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=334, this connection=58, c=2a02:1800:1e1:6001::701:a1
I am keep getting error
Invalid command 'QS_SrvMinDataRate'. What am I missed?