Main » 2011 » Март » 16 » Slow lori attack on a web server apache
13:05
Slow lori attack on a web server apache
Slow Lori - an animal that lives in Southeast Asia and known for its slow and measured movements. According to it, has been named the new DoS and DDoS attacks on web server Apache.



The attack was launched a security specialist RSnake 17 June and described in detail on page http://ha.ckers.org/blog/20090617/slowloris-http-dos

The attack is very slow sending all and more new HTTP headers in a single HTTP request will never complete.

Since Apache allocates resources for the request very early, at one such request to spend "full" number of resources. Is the same as for a request.

As we know, Apache uses to handle requests or processes, or a mixture of processes with threads. Using the threads will postpone death, but somehow Apache rested in the limit on memory or restriction specified by the administrator.

What is the most unpleasant, Slowlori attack leaves no trace, except for a huge number of open-Be compounds with status ESTABLISHED. There will be no records, even in access_log-e.

Initially, the Apache developers are not very responsive to RSnake message to the mailing list by replying to it that this attack has long been known and is a minus not very web ververa, but rather a TCP-stack. However, in future, developers of Apache web server moved and began to actively discuss ways of solving problems.

Web servers based on the state machine is not vulnerable to this attack. Thus, the simplest way to protect yourself from Slowlori attack is to use two-tier architecture, when the first on the road is a web / proxy server based on the state machine, such as nginx.

Other possible solutions include Access HTTP filters in FreeBSD, use cunning to firewall rules, which, at the same time, can cut off the slow and legitimate users.

In addition to actually change the architecture, the developers of Apache accept the need for the introduction of smaller, local timeouts. At this point in Apache 2.2 implements a timeout obshy that affects virtually all IO actions.

For more information, contact the mailing list httpd-dev and not yet open for public access to this article on LWN.
Views: 558 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: