Slowloris
Slowloris is a software that allows a single computer can cripple a web server with minimal use of network resources. Slowloris worm specifically to the Web server, it is not effective against other services. Author of the software is Robert " RSnake " Hansen.
Slowloris tries to make as many connections to the target server, and to keep them open as long as possible. This effect is achieved by parallel opening connections and sending partial queries. From time to time, the sub-requests be supplemented by other HTTP header, the requests are never fully completed. This reduces the number of open connections increases rapidly. Since the number of open connections that can keep a web server at the same time is limited, legitimate requests from Web browsers will be rejected - the server is paralyzed.
Affected Web server
Many Web servers are vulnerable to this type of attack, including Apache 1.x, Apache 2.x, and the GoAhead WebServer dhttpd.
Countermeasures
There is currently no effective means against a Slowloris attack, but there are ways to reduce its impact. These include:
- Increase the maximum number of simultaneous connections the Web server
- Limit the maximum number of connections from a single IP address
- The amount of time that must remain connected a client reduce
Especially for the Apache Web server, there are a number of modules that can reduce the damage by Slowloris, such as mod_limitpconn, mod_qos, mod_evasive, mod_security, mod_noloris, and mod_antiloris. Since version 2.2.15 Apache contains the module mod_reqtimeout, which is proposed by the developers as the official solution.
Other countermeasures are reverse proxies, firewalls, load balancers, Layer 3 switches, and the use of a web server, which is immune to this type of attack.
Use
During the 2009 presidential elections in Iran Slowloris was used against the web server of the Iranian government.
Slowloris was over a traditional denial-of -service attack is preferred because a traditional attack consumes a lot of network resources and thus the protest movement would have hurt.
Of the attacks were gerdab.ir, leader.ir and president.ir affected.
Similar programs
Since the release of Slowloris some other programs have appeared that mimic the function of Slowloris and offer more features or run in other environments: