Slowloris is DDoS attack software that makes it possible for a single computer to take down an entire web server by consuming all its resources. It operates at Layer 7 (the application layer). The attack requires minimal bandwidth to launch and only affects the target server’s web server, with virtually no side effects on other services and ports. Slowloris has been seen to be highly effective against various types of web server software, including Apache 1.x and 2.x. The attack is named after a vulnerable or endangered Asian primate that move slowly and deliberately, making very little noise, and when threatened, become motionless.
Slowloris is not afraid to change its tactics to avoid discovery, for instance, it can be altered to send different host headers if a virtual host is targeted, and logs are stored separately for each virtual host. Furthermore, during an attack, Slowloris can be set to conceal log file creation, allowing it to catch unmonitored servers unawares, without red flags showing up in log file entries.
Slowloris also distinguishes itself from other types of DDoS by using legitimate HTTP traffic. The software works by opening multiple TCP connections to the targeted web server and keeping them open for as long as possible. It repeatedly sends partial HTTP requests, which are never completed. The targeted servers open increasing numbers of connections and sit waiting for each request to be completed.
Just before timeout, the tool sends further incomplete HTTP requests to the server, continuing to hold it open and resetting the timeout clock. Ultimately, all the connections on the targeted server are used up, and any further legitimate connection attempts are denied until at least some of the held connections are released. This enables hackers with limited traffic resources to successfully perpetrate a DDoS attack.
Slowloris can easily slip past defenses because it sends partial, as opposed to malformed, packets.
Slowloris has been involved with various high-profile server takedowns. Most notably, Iranian ‘hackivists’ used it extensively after the 2009 Iranian presidential election to specifically take down websites hosted by the Iranian government and protest the results. The hacktivists also invited people to join their cause on Twitter – posting instructions on how to launch Slowloris DDoS attacks as Twitter updates. The attacks had a high impact with a relatively low bandwidth rate.
Mitigation methods include increasing the web server’s capacity by allowing a higher maximum number of clients; placing limits on the number of connections a single IP address can make; imposing a minimum transfer speed for a connection; and only allowing a client to stay connected for a limited period of time.