The Slowloris attack is a type of application-layer DDoS attack that targets a web server by opening multiple connections and sending HTTP requests very slowly, keeping these connections alive for as long as possible. This exhausts the server’s connection pool and prevents it from handling legitimate traffic.
Here’s what Slowloris might look like in web logs:
Example Log Entries Indicating a Slowloris Attack
- Partial HTTP Requests
Slowloris sends incomplete HTTP headers to keep connections open without completing the request.
Log Example (Apache or NGINX Logs):
[Nov 21 15:20:45] 192.168.1.101 - - [21/Nov/2024:15:20:45 +0000] "GET / HTTP/1.1" 408 - "-" "-"
[Nov 21 15:20:50] 192.168.1.102 - - [21/Nov/2024:15:20:50 +0000] "POST /login HTTP/1.1" 408 - "-" "-"
[Nov 21 15:20:55] 192.168.1.103 - - [21/Nov/2024:15:20:55 +0000] "-" 408 - "-" "-"
Signs:
- Status code
408(Request Timeout) appears repeatedly for multiple IPs. - Headers or body of the HTTP requests are missing or incomplete.
- Unusually Long Connection Durations
Slowloris keeps connections open by sending small chunks of data periodically, keeping the connection alive without completing the request.
Log Example (Web Server Logs):
[Nov 21 15:21:05] 192.168.1.104 - - [21/Nov/2024:15:21:05 +0000] "GET / HTTP/1.1" 200 0 "-" "-"
[Nov 21 15:21:45] Connection duration: 40 seconds
[Nov 21 15:22:05] 192.168.1.105 - - [21/Nov/2024:15:22:05 +0000] "GET /contact HTTP/1.1" 200 0 "-" "-"
[Nov 21 15:22:50] Connection duration: 45 seconds
Signs:
- Connection times are abnormally long, often lasting up to or beyond timeout thresholds.
- Minimal or no data is sent with the requests.
- Spike in Open Connections
Slowloris consumes server resources by opening as many simultaneous connections as possible.
Log Example (Server or Firewall Logs):
[Nov 21 15:23:00] Active connections: 500
[Nov 21 15:23:10] Active connections: 800
[Nov 21 15:23:20] Active connections: 1000
Signs:
- A sudden, significant increase in the number of active connections.
- Connections remain open for long durations without significant data transfer.
- Same IP Sending Many Requests Slowly
Attackers often use a single IP address or a small group of IPs, making multiple slow requests to keep the server engaged.
Log Example (Access Logs):
[Nov 21 15:24:00] 192.168.1.110 - - [21/Nov/2024:15:24:00 +0000] "GET / HTTP/1.1" - - "-" "-"
[Nov 21 15:24:30] 192.168.1.110 - - [21/Nov/2024:15:24:30 +0000] "GET /index.html HTTP/1.1" - - "-" "-"
[Nov 21 15:25:00] 192.168.1.110 - - [21/Nov/2024:15:25:00 +0000] "GET /about HTTP/1.1" - - "-" "-"
Signs:
- Repeated requests from the same IP address with long intervals between them.
- Missing or incomplete response status codes.
Enhancing Mitigation with WAF and CDN Technologies
Web Application Firewalls (WAFs) and Content Delivery Networks (CDNs) help mitigate Slowloris attacks by filtering malicious traffic and preserving server resources. WAFs analyze incoming traffic to detect patterns associated with Slowloris attacks, such as incomplete HTTP headers, unusually long connection durations, and repeated requests from the same source. They enforce rate-limiting rules to restrict slow connections from monopolizing resources. Modern WAFs use machine learning to detect anomalies and block malicious behavior, ensuring that legitimate traffic is prioritized.
WAF technologies offer:
- Traffic Filtering: Blocks incomplete HTTP requests and identifies abnormal connection behaviors to prevent attack traffic from consuming server resources.
- Rate Limiting: Caps the number of allowed requests or connections per IP to reduce the impact of slow, persistent attacks.
- Anomaly Detection: Uses behavioral analysis and machine learning to recognize unusual traffic patterns and adapt to new Slowloris attack methods.
- Connection Timeout Enforcement: Identifies and terminates connections that remain idle or incomplete beyond a set time frame, freeing server resources.
CDNs complement WAFs by distributing incoming traffic across their global network, ensuring that no single server is overwhelmed. CDNs absorb the impact of slow connections by handling requests at the edge of the network, reducing the burden on the origin server. They also cache static content, minimizing the server’s workload and ensuring responsiveness during an attack. Together, WAFs and CDNs provide a layered defense that mitigates the effects of Slowloris attacks and maintains service availability.
CDN technologies offer:
Dynamic Caching: Serves static content from edge locations to minimize the load on backend servers, ensuring availability during an attack.
Traffic Distribution: Spreads incoming traffic across multiple edge servers to balance the load and prevent overloads.
Edge Filtering: Blocks incomplete or suspicious HTTP requests at the network edge, preventing them from reaching the origin server.
Connection Handling: Manages slow, persistent connections at the edge, reducing strain on the origin server.