Slowloris is a type of denial of service attack invented by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Slowloris is basically an HTTP Denial of Service attack that affects threaded servers. It works like this:
- We start making lots of HTTP requests.
- We send headers periodically (every ~15 seconds) to keep the connections open.
- We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.
This exhausts the servers thread pool and the server can’t reply to other people.
How to install and run?
You can clone the git repo or install using pip. Here’s how you run it.
sudo pip3 install slowloris
That’s all it takes to install and run slowloris.py.
If you want to clone using git instead of pip, here’s how you do it.
git clone https://github.com/gkbrk/slowloris.git
python3 slowloris.py example.com
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general these involve increasing the maximum number of clients the webserver will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches. Administrators could also change the affected web server to software that is unaffected by this form of attack.