New Denial-Of-Service Attack Cripples Web Servers By Reading Slowly

  /     /     /  
Publicated : 22/11/2024   Category : security


New Denial-Of-Service Attack Cripples Web Servers By Reading Slowly


Slow Read proof-of-concept and tool released Thursday



A researcher today published proof-of-concept code that takes a different spin on the slow HTTP denial-of-service (DoS) attack simply by dragging out the process of reading the servers response -- and ultimately overwhelming it.
Sergey Shekyan, senior software engineer with Qualys, also has added this new so-called Slow Read attack to his open-source slowhttptest tool.
Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.
Shekyans Slowhttptest attack tool initially was inspired by related open-source tools Slowloris and OWASPs Slow HTTP Post. Slowloris keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, while the Slow HTTP POST distributed DoS (DDoS) tool simulates an attack using POST headers with a legitimate content-length field that lets the Web server know how much data is arriving. Once the headers are sent, the POST message body is transmitted slowly, thus gridlocking the connection and server resources.
[Slow HTTP attacks can be a lethal form of denial-of-service to Web servers. See
Researcher To Release Free Slow HTTP Attack Tool
.]
Slow HTTP attacks are gaining in popularity among the bad guys as a way to quietly wage a DoS attack because these exploits are relatively easy to perform, require minimal computing resources, and often are tough to detect until its too late.
There are three or four ways to easily DoS an Apache server now [with the addition of Slow Read], says an industry source who requested anonymity. We see it fairly frequently ... It happens to the majority of our customers at least once every few months, if not more often.
Those organizations that deploy inline load balancers or rate-limiting traffic parameters are typically fairly protected from a full-blown DoS, but not all organizations have such resources to help mitigate a DoS or DDoS.
Qualys Shekyan says attackers today are combining old-school, lower-layer SYN Flood DDoS attack methods with the application-layer ones that exploit HTTP traffic. And the more techniques you combine in an attack, the more effective it is, he says.
He says his Slow Read attack slows down the HTTP response reading phase by exploiting the design of TCP, which keeps the connection open even if theres little or no data flowing there. And this attack is harder to detect than the Slow HTTP attack. Its very hard to catch these attacks. If youre not monitoring your network layer, those requests look the same as your requests from legitimate clients, he says.
To successfully pull off a Slow Read DoS, the attacker must know the servers send buffer size and craft a smaller receive buffer. TCPs default server buffer size ranges from 65 KB to 129 KB, Shekyan noted. We need to make the server generate a response that is larger than the send buffer. With reports indicating the Average Web Page Approaches 1MB, that should be fairly easy. Load the main page of the victim’s Web site in your favorite WebKit-based browser like Chrome or Safari and pick the largest resource in Web Inspector, he wrote in his proof-of-concept post.
Meanwhile, some fixes are available to various Web server DoS attacks. But they can often be a major pain to implement. Sometimes its changing the Web server, sometimes its using an inline proxy, and sometimes its just a matter of the HTTP spec being too lax, the industry source says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Denial-Of-Service Attack Cripples Web Servers By Reading Slowly