Remote handbrake for web servers
Security specialist Robert "RSnake" Hansen has released a tool which is able to disable even large web servers using a standard internet-capable PC. "Slowloris" does not, however, work by exploiting security vulnerabilities, instead it utilises a feature of the HTTP-protocol known as partial HTTP requests. Clients do not have to forward all the data from a GET or POST request to a server in one go, rather it can be spread over a number of HTTP queries.
Depending on server configuration, the first partial request causes the server to reserve substantial resources for the response while waiting for the remainder of the request. Web servers vulnerable to this remote handbrake approach are precisely those which implement certain strategies to avoid system overloads by, for example, only allowing a limited number of parallel HTTP requests. According to Hansen, these include Apache HTTP Server, DHTTPD, GoAhead WebServer and Squid, but not Microsoft's IIS or Light HTTPd.
The idea behind the new denial of service (DoS) concept is derived from earlier DoS attacks using half-open TCP-connections, except that in this case other server services are broadly unaffected, while the HTTP service becomes unavailable. Web servers can be protected by using load balancers such as Perlbal and web application firewalls that only forward complete HTTP requests to the server. So the new attack is unlikely to cause website administrators too many sleepless nights. In the event of an attack, the problem can be defused by simply reducing the time-out parameter for HTTP requests.
- Slowloris HTTP DoS, an explanation of the Slowloris concept from RSnake.