DoS using a single client

Jacob Allred

Have you ever heard of Slowloris? It has been around for a little over a year, but fortunately I have never had the “pleasure” of dealing with it.

This short Perl script (less than 350 lines of actual code) is capable of turning your lowly desktop computer into a server killing monster. Traditional denial of service attacks use several clients (hundreds, sometimes thousands) to overwhelm the target server. The clients make as many requests as they can from the target server, causing it to use all its resources responding to the requests. Slowloris has a different approach.

Instead of using hundreds of clients, a Slowloris attack can often be successful run from a single client. And instead of overloading the server and utilizing a pile of bandwidth, Slowloris leaves the load on the target server at near zero and uses almost no bandwidth. It still makes a pile of requests, but it makes … them … nice … and … slow. Most web servers are only capable of handling a certain number of requests at a time (say, 150) so if you start 150 requests to the target server and leave those requests open for 10, 20, or even 30 minutes, you’ve effectively made it impossible for anyone else to get a valid request through to the web server. The target server isn’t actually doing any work, so the load doesn’t go up. What makes it even more annoying is the requests don’t show up in the log until they fail, if they ever do, which makes it more difficult to figure out what the heck is going on.

There are ways to mitigate the effectiveness of this type of attack, the most common being the use of a proxy to sit between the client and the web server (like haproxy or CloudFlare) and/or installing a bunch of Apache modules. Fortunately I’m doing both so hopefully I’ll be fine if someone decides they don’t like me much and wants to take down my server.

As a final note, I wholeheartedly discourage you from trying out the software unless you only do it on your local network. Attacking someone’s server is probably illegal and is likely to get your internet service shutoff. In other words, don’t be stupid.