27 Jul 2009
47940
hits

Protecting against the Slowloris HTTP DoS

As I bet you already know, Slowloris is a HTTP client that can easily take the most widespread web servers to their knees, including:

  • Apache 1.x
  • Apache 2.x
  • IBM HTTP Server
  • Zeus Web Server
  • Squid caching proxy server
  • lighttpd 1.4
  • A few Verizon products, etc..

There's something specially relevant about this DOS attack: It requires very low bandwidth in order to collapse a production web server, which makes it specially dangerous.

Do not panic, though. There is a really easy solution to the problem. As Daniel Robbins (Founder of Gentoo Linux and Funtoo) explained in his Slowloris DOS Mitigation Guide: Cherokee is the way to go.

First of all, the Cherokee web server is not vulnerable to the attack, so if your organization can switch to a newer web server, the problem is solved.

In case you couldn't migrate there would be another option. Since Cherokee ships a reverse HTTP proxy with different load balancing mechanisms, it could be deployed before your current web servers. Cherokee would act as some sort of Layer-7 filter, so it'd protect them from collapse under attack.

Personally, there's something I really enjoyed about all this stuff. When Slowloris was released and we tested it against Cherokee, we didn't have to change a single line of code to fix the server... Cherokee was already safe. :-)

Comments

MD on Mon Jul 27 12:34:15 2009
1193

why do you list lighttpd, while the official site does not?
Alvaro Lopez Ortega on Mon Jul 27 12:40:27 2009
1196

@MD: According with 'adrianilarionciobanu' (on June 21st, 2009 at 1:06 pm), it's vulnerable: http://ha.ckers.org/blog/20090617/slowloris-http-dos/
James on Mon Jul 27 15:20:42 2009
1197

Another option is Perlbal, which was specifically written to deal with modem users, who are basically what slowloris emulates.
Alvaro Lopez Ortega on Mon Jul 27 15:27:04 2009
1198

@James, We've helped a couple of organizations (a big company and an university) to replace Perlbal by Cherokee. They had scalability issues and Cherokee solved them. (However, I must say that Perlbal is over the average performance - thinking of Squid, lighttpd, etc.).
Meh on Mon Jul 27 15:53:27 2009
1199

"if your organization can switch..." You got SPNEGO supported yet?
Alvaro Lopez Ortega on Mon Jul 27 16:06:42 2009
1200

@Meh: I'm afraid it's still a RFE.. http://bugs.cherokee-project.com/94
Mike on Mon Jul 27 18:26:24 2009
1201

My testing shows current released version of lighttpd to be resilient in the face of slowloris.
Garrett D'Amore on Mon Jul 27 19:38:42 2009
1202

Very cool article... I'll have to give Cherokee a shot the next time I get around to building a web server. Btw, is Cherokee integrated into OpenSolaris SFW yet? :-)
Glynn on Mon Jul 27 23:29:06 2009
1203

Of course a combination of Cherokee and something like Solaris Zones with resource management (incl Crossbow for network virtualization and bandwidth caps) would be an excellent combination :)))
meh on Wed Jul 29 16:43:37 2009
1204

Whoa, you ARE working on spnego! That's a genuine delight to hear! Heavy duty SSO is must for any corporate environment :) Whee.
pag on Thu Aug 27 01:20:49 2009
1212

Is Microsoft's IIS used less that every server you list there? ^_^

Leave a comment

Name:

Comment:


Loading PhotoLog..


Search

 

Twitter


Facebook

Alvaro Lopez Ortega's Profile
Alvaro Lopez Ortega's Facebook Profile