Edit filter log

'{{Short description|Software for executing a denial-of-service attack}} {{Use dmy dates|date=August 2021}} {{Infobox software | name = Slowloris | logo = Slowloris DDOS.png | logo caption = Slowloris running on [[cmd.exe|Command Prompt]] | screenshot = | caption = | collapsible = | developer = | released = 17 June 2009 | latest release version = 0.7 | latest release date = | latest preview version = | latest preview date = | programming language = [[Perl]] | operating system = | platform = [[Cross-platform]] | size = 36 kb | status = | genre = [[Hacking tool]] | license = | website = [https://web.archive.org/web/20090822001255/http://ha.ckers.org/slowloris/ ha.ckers.org/slowloris/] }} '''Slowloris''' is a type of [[denial of service]] attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent [[HTTP]] headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.<ref name="ha.ckers.org">{{cite web |url=http://ha.ckers.org/slowloris |title=Slowloris HTTP DoS |accessdate=2009-06-26 |url-status=bot: unknown |archiveurl=https://web.archive.org/web/20150426090206/http://ha.ckers.org/slowloris |archivedate=26 April 2015 }}</ref> The program was named after [[slow loris]]es, a group of primates which are known for their slow movement. ==Affected web servers== This includes but is not necessarily limited to the following, per the attack's author:<ref name="ha.ckers.org"/> * [[Apache HTTP Server|Apache]] 1.x and 2.x * dhttpd * [[Websense Enterprises|Websense]] "block pages" (unconfirmed) * Trapeze Wireless Web Portal (unconfirmed) * [[Verizon Communications|Verizon's]] MI424-WR FIOS Cable modem (unconfirmed) * Verizon's [[Motorola]] Set-top box (port 8082 and requires auth - unconfirmed) * BeeWare WAF (unconfirmed) * Deny All WAF (patched)<ref>{{cite web |url=http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf |title=Archived copy |accessdate=2013-05-15 |url-status=dead |archiveurl=https://web.archive.org/web/20140201201359/http://www.denyall.com/files/090703-Flash-Presse-contre-Slowloris.pdf |archivedate=1 February 2014 }}</ref> * [[Flask (web framework)|Flask]] (development server) Because Slowloris exploits [[C10k problem|problems handling thousands of connections]], the attack has less of an effect on servers that handle large numbers of connections well. Proxying servers and caching accelerators such as [[Varnish (software)|Varnish]], [[nginx]], and [[Squid (software)|Squid]] have been recommended<ref>{{cite web|url=http://serverfault.com/a/32472/129773|title=How to best defend against a "slowloris" DOS attack against an Apache web server?|website=serverfault.com|access-date=2016-12-28}}</ref> to mitigate this particular kind of attack. In addition, certain servers are more resilient to the attack by way of their design, including Hiawatha,<ref>{{cite web|url=https://www.hiawatha-webserver.org/weblog/64|title=Performance testing while under attack|publisher=hiawatha-webserver.org|date=28 February 2014}}</ref> [[Internet Information Services|IIS]], [[lighttpd]], [[Cherokee (web server)|Cherokee]], and [[Cisco Systems|Cisco CSS]]. <!--Every bit of this is supported by the ha.ckers.org reference - there's no need to inline the same citation over and over --> ==Mitigating the Slowloris attack== While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general, these involve increasing the maximum number of clients the server will allow, limiting the number of connections a single [[IP address]] is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected. In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, [[mod_qos]], mod_evasive, [[mod security]], mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.<ref name="ha.ckers.org"/><ref>{{cite web|url=http://bahumbug.wordpress.com/2009/07/01/mod_noloris-defending-against-dos/ |title=mod_noloris: defending against DoS |publisher=niq's soapbox |accessdate=7 January 2012}}</ref> Since Apache 2.2.15, Apache ships the module mod_reqtimeout as the official solution supported by the developers.<ref>{{cite web|url=https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html |title=mod_reqtimeout - Apache HTTP Server |publisher=Httpd.apache.org |accessdate=2013-07-03}}</ref> Other mitigating techniques involve setting up [[Reverse proxy|reverse proxies]], [[Firewall (computing)|firewalls]], [[Load balancing (computing)|load balancers]] or [[content switch]]es.<ref>{{cite web|last=Breedijk |first=Frank |url=https://web.archive.org/web/20120215200011/http://www.cupfighter.net/index.php/2009/06/slowloris-css/ |title=Slowloris and Nkiller2 vs. the Cisco CSS load balancer |publisher=Cupfighter.net |date=22 June 2009 |accessdate=7 January 2012}}</ref> Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, [[lighttpd]] and [[nginx]] do not succumb to this specific attack.<ref name="ha.ckers.org"/> ==Notable usage== {{Expand section|date=December 2009}} During the protests that erupted in the wake of the [[2009 Iranian presidential election]], Slowloris arose as a prominent tool used to leverage [[DoS]] attacks against sites run by the Iranian government.<ref>{{cite web|last=Zdrnja |first=Bojan |url=https://isc.sans.edu/forums/diary/Slowloris+and+Iranian+DDoS+attacks/6622 |title=ISC Diary &#124; Slowloris and Iranian DDoS attacks |publisher=Isc.sans.org |date=23 June 2009 |accessdate=7 January 2012}}</ref> The belief was that flooding [[DDoS]] attacks would affect internet access for the government and protesters equally, due to the significant [[Bandwidth (computing)|bandwidth]] they can consume. The Slowloris attack was chosen instead, because of its high impact and relatively low bandwidth.<ref>[http://iran.whyweprotest.net/general-discussion/2156-list-anti-protester-sites-2.html] {{webarchive |url=https://web.archive.org/web/20090629152805/http://iran.whyweprotest.net/general-discussion/2156-list-anti-protester-sites-2.html |date=29 June 2009 }}</ref> A number of government-run sites were targeted during these attacks, including gerdab.ir, leader.ir, and president.ir .<ref>[http://iran.whyweprotest.net/help-iran-online/6194-condensed-list-sites-w-pictures-part-1-a.html] {{webarchive |url=https://web.archive.org/web/20090811013813/http://iran.whyweprotest.net/help-iran-online/6194-condensed-list-sites-w-pictures-part-1-a.html |date=11 August 2009 }}</ref> A variant of this attack was used by [[Email spam|spam]] network [[River City Media]] to force [[Gmail]] servers to send thousands of messages in bulk, by opening thousands of connections to the Gmail [[API]] with message sending requests, then completing them all at once.<ref>{{Cite web| last = Vickery| first = Chris| title = Spammergate: The Fall of an Empire| work = MacKeeper Security Watch| date = 2017-03-06| url = https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire| archive-url = https://web.archive.org/web/20170306152831/https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire| url-status = dead| archive-date = 2017-03-06}}</ref> ==Similar software== Since its release, a number of programs have appeared that mimic the function of Slowloris while providing additional functionality, or running in different environments:<ref>{{cite web|title=Slowloris|url=http://samsclass.info/seminars/slowloris.pdf|publisher=SecTheory|accessdate=7 January 2012|author=Robert "RSnake" Hansen}}</ref> * PyLoris – A protocol-agnostic Python implementation supporting [[Tor (anonymity network)|Tor]] and SOCKS proxies.<ref>{{cite web |url=http://motomastyle.com/pyloris/ |archive-url=https://web.archive.org/web/20090715100428/http://motomastyle.com/pyloris/ |url-status=dead |archive-date=15 July 2009 |title=PyLoris |publisher=MotomaSTYLE |date=19 June 2009 |accessdate=7 January 2012 }}</ref> * Slowloris – A Python 3 implementation of Slowloris with SOCKS proxy support.<ref>{{cite web|url=https://github.com/gkbrk/slowloris|title=Slowloris rewrite in Python|accessdate=10 May 2017}}</ref> * Goloris – Slowloris for nginx, written in Go.<ref>{{cite web|url=https://github.com/valyala/goloris|title=Slowloris for nginx DoS|author=valyala|accessdate=4 February 2014}}</ref> * QSlowloris – An executable form of Slowloris designed to run on Windows, featuring a [[Qt (toolkit)|Qt]] [[front end processor (program)|front end]].<ref>{{cite web|title=How to help take down gerdab.ir in 5 easy steps|url=http://cyberwar4iran.blogspot.com/|publisher=cyberwar4iran|accessdate=7 January 2012|date=28 June 2009}}</ref> * An unnamed PHP version which can be run from a HTTP server.<ref>{{cite web|url=http://seclists.org/fulldisclosure/2009/Jun/0207.html |title=Full Disclosure: apache and squid dos |publisher=Seclists.org |date=19 June 2009 |accessdate=7 January 2012}}</ref> * SlowHTTPTest – A highly configurable slow attacks simulator, written in C++.<ref>{{cite web|url=https://community.qualys.com/blogs/securitylabs/2011/09/19/testing-web-servers-for-slow-http-attacks |title=Testing Web Servers for Slow HTTP Attacks |publisher=qualys.com |date=19 September 2011 |accessdate=13 January 2012}}</ref><ref>{{cite web|url=https://github.com/shekyan/slowhttptest/ |title=shekyan/slowhttptest: Application Layer DoS attack simulator |publisher=GitHub |accessdate=2017-04-19}}</ref> * SlowlorisChecker – A Slowloris and Slow POST POC (Proof of concept). Written in Ruby.<ref>{{cite web|url=https://github.com/felmoltor/SlowlorisChecker |title=Simple script to check if some server could be affected by Slowloris attack |publisher=github.com/felmoltor |date=31 December 2012 |accessdate=31 December 2012}}</ref> * Cyphon - Slowloris for Mac OS X, written in Objective-C.<ref>{{cite web|url=https://github.com/abila5h/Cyphon-DoS|title=Slowloris for OSX|author=abilash|accessdate=8 April 2017}}</ref> * sloww - Slowloris implementation written in Node.js.<ref>{{Citation|last=Davis|first=Ethan|title=sloww: Lightweight Slowloris attack CLI in Node|date=2018-02-17|url=https://github.com/ethanent/sloww|accessdate=2018-02-18}}</ref> * dotloris - Slowloris written in .NET Core<ref>{{cite web|url=https://github.com/bass3l/dotloris|title=Slowloris written in .Net core|author=Bassel Shmali}}</ref> ==See also== * [[Slowdroid|SlowDroid]] * [[Trinoo]] * [[Stacheldraht]] * [[Denial of service]] * [[LAND]] * [[Low Orbit Ion Cannon]] * [[High Orbit Ion Cannon]] * [[ReDoS]] * [[R-U-Dead-Yet]] ==References== {{Reflist}} ==External links== * [https://web.archive.org/web/20090822001255/http://ha.ckers.org/slowloris/ Slowloris HTTP DoS] * [http://hackaday.com/2009/06/17/slowloris-http-denial-of-service/ hackaday on Slowloris] * [https://lwn.net/Articles/338407/ Apache attacked by a "slow loris"] article on [[LWN.net]] * [http://www.radware.com//Multimedia/Security_Zone/slowloris.html?WT.ad=SlowlorisCaseStudy Slowloris – a short video (including a demo)] * [https://github.com/shekyan/slowHttpTest Home page of SlowHTTPTest] * [https://sourceforge.net/projects/loicslow/ An Attempt at Simulating SlowLoris on LOIC] * [https://www.gkbrk.com/2016/09/about-slowloris/ Blog post explaining the inner workings of Slowloris] [[Category:Denial-of-service attacks]]'