Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Slowloris DoS Attack

(SBP-2009-09)

A new Denial of Service tool has been released that attacks Web servers. A successful attack can exhaust a server’s ability to serve connections.

Slowloris is a HTTP Denial of Service tool written in PERL. The tool performs a Denial of Service attack on Apache 1.x and 2.x servers (as well as other web servers) by exhausting available connections. The tool holds the connection open by sending valid, incomplete HTTP requests to the server. Since any web server has a finite ability to serve connections, after some time all the connections will be used up and no other server will be able to connect.

Note that this tool is not a TCP DoS. It makes a full TCP connection and, unlike other DoS tools that require tens of thousands requests on an ongoing basis, this tool requires only a few hundred requests at long term and regular intervals. Given this, the potential impact of this tool could be quite high since it doesn't need to send a lot of traffic to exhaust available connections on a server. This makes it possible for hackers with limited traffic resources to successfully mount an attack.

Check Point protects against this attack through its IPS offerings: IPS Software Blade, SmartDefense, and IPS-1. This protection will block HTTP connections attempting to carry out this attack. See SBP-2009-09.