DoS, or Denial of Service attacks, are nothing new. The main idea behind a DoS attack is to exhaust a devices resources (be it HTTP, some database backend, or any other form of ‘service’) until it can’t respond to legitimate requests anymore. The most popular form of DoS (i.e. the ones you read about in the paper) is link saturation. The plan is to send a massive amount of requests to a server, much more than it normally receives, in order to saturate either the server or its link.
Recently, a new method of DoS-ing Apache HTTP servers has emerged. Recently a tool (Slowloris) has been developed by RSnake with help from John Kinsella to launch the attack. The tool works by exhausting Apache processes. Apache comes configured to only allow a certain number of processes (default install is 256) and not answer any more requests when that limit is hit. This tool sends the first part of a HTTP request header. While Apache waits for the rest of the header, one of those 256 processes it taken up. By default, Apache will wait up to 5 minutes for those connections to complete. Once the tool has taken up all the available connections the Apache server will not serve any new requests.
$ perl slowloris.pl -dns
Welcome to Slowloris – the low bandwidth, yet greedy and poisonous HTTP client
Defaulting to port 80.
Defaulting to a 5 second tcp connection timeout.
Defaulting to a 100 second re-try timeout.
Defaulting to 1000 connections.
This would help you to test whether your server is actually vulnerable to this kind of DoS attacks.
Countering
If you have a good baseline on your web servers and know the limits of expected traffic – there is a quick and dirty fix for this. This fix assumes that the attack comes from the same source-ip. The following iptables rule limits the amount of connections from the same source to 20 connections.
iptables -A INPUT -p tcp –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
With this in place, Slowloris can only take up 20 connections per source ip, leaving the other connections open for legitimate users.
Reference
[1] Above content is mainly based on the article: http://www.redspin.com/blog/2009/06/21/dos-ing-over-dial-up/
[2] The tool is available at http://ha.ckers.org/slowloris/
0 comments:
Post a Comment