Freely subscribe to our NEWSLETTER

Attack description

Slowloris is a perl script which can be run on any *nix platform.

The attack consists in initiating HTTP requests without closing them. The connection is then left opened thanks to recurring transmission of HTTP headers. The figure below shows the trace of the request and clearly identifies the “X-a: b” header used by the tool.

The Apache Web server sends requests to processing modules only once they are completed. As a consequence it is vulnerable to the attack as it doesn’t free active connections established by the attack tool. Apache security modules cannot be applied for the same reasons.

Once the attack is launched the target server holds open connections in state ESTABLISHED.

After a short amount of time the server becomes unreachable. This status lasts for the duration of the attack.

Mitigation

On Saturday, June 20th, the DARC provided Deny All customers with a workaround. This workaround, based on packet filtering and connection limit mechanisms, made it possible to prevent web sites from being impacted by this attack.

On June 26th, a patch was made available for all Deny All products. This patch has been publicly released today after one week of testing.

Therefore all Deny All customers can now be protected from this attack and any variant based on the same technique.

This is the first release of a patch for an Apache-based products against this attack.

As of today no official Apache native solution is available, as it requires heavy internal changes.

Thanks to the analysis performed by its research center, Deny All is the only editor which has released such solution for all its production platforms.