What is a Slow Loris Attack?
In nature, the slow loris is a slow but venomous primate native to South East Asia. In computers, a slow loris attack is an attack on a website or server, first introduced in 2009.
A slow loris attack is a type of denial of service attack. As such, its goal is to make a website or server to be unable to post its information online. In other words, it crashes a site. Most denial of service attacks use a large collection of computers or ‘bots’ which try to connect to the same server at the same time. This overwhelms the server and causes no one else to be able to access the website.
A slow loris attack is different, because it doesn’t take nearly the number of computers to be successful. Instead of sending lots and lots of requests to a server as fast as possible, it sends fewer but slower requests. These slow requests “tie up” the server. This makes an attack much easier and cheaper for the hacker. In fact, I’ve run a few or these attacks myself from my desktop, no botnet needed. In this article, I will tell you how they worked.
Am I at Risk?
No one wants to pay for a website that their customers cannot access, especially if your website drives business such as an eCommerce store. Unfortunately, the defenses against a slow loris attack have nothing to do with your website, and everything to do with the web server. If you operate on a shared server (the vast majority of small business websites), then you have absolutely no control over the settings of the server. This is one reason why we recommend that all of our clients host their websites on our servers. Learn more about our web services here. With our servers, you have the peace of mind that comes with hiring a security firm to handle your data, rather than a generic IT professional or even scarier, a graphic designer.
So what if you do just want to buy a hosting package and trust that whomever set it up is protecting you from down time? Who you chose as a host is of the utmost importance. Here at Sierra Secure, we took an afternoon to test a number of popular servers against a slow loris attack (with permission of course). Here are our results
Wheaton is a small hosting service based in Illinois. They specialize in a service called ZenCart, which is an older eCommerce platform. It is hard to use and quickly losing support for many of the plugins and extra services, including security services. For these reasons, we recommend that our clients move away from ZenCart. Still, we need to give credit where credit is due. When we attempted a slow loris attack on one of their hosted websites (again, with permission), I was most impressed with their response. Not only was the attack ineffective, they were the only server in our test that took the extra step of blocking the attacking IP address.
Webs is a web service that offers very basic services designed for those who wish to create their own website without any special skills. They are easy to use for the most basic of basic websites, but offer no advanced or even intermediate services. Still, to their credit, they were not vulnerable to the slow loris attack. They did not, however, block the IP address the attack came from. This is a step that we recommend. If an IP address attempted one attack, they are likely to attempt a second. It is pretty easy for an attacker to get a hold of other IP addresses, so it’s hardly a fool proof defense, but it will slow down the attacks slightly.
This is your typical generic shared server service. Because it is a shared server, you have no control over the settings of the server, so lets see how they do. In our first test, the website we attacked immediately went down. They did not even block the IP address for future attacks. We could still access the website after we stopped the attack. However, when we attempted the same attack a second time, we were unable to make the site go down. It is unclear if our IP address was simply allowed to access the website under normal circumstances but subject to a time-out policy. Or, it could be that the server was having a “bad day” when we attempted the attack.
InMotion is another typical website hosting service, comparable to BlueHost. They have the same restriction on changing settings as a shared server. When we attempted the slow loris, they were completely unaffected. The IP address of the attack was not blocked, and like we said before, it should be. Still, we can recommend InMotion as it is full featured and did not seem vulnerable to this type of attack.