Deny All releases a patch against Slowloris, an attack against Web servers
July 2009 by deny all
The DARC (Deny All Research Center), division of Deny All which focuses on threat analysis and mitigation, performed a technical analysis of the tool and the concept of the attack. After 10 years of activity, researches performed by this department have lead to the design of state-of-the art Web application security engines.
Slowloris is a perl script which can be run on any *nix platform.
The attack consists in initiating HTTP requests without closing them. The connection is then left opened thanks to recurring transmission of HTTP headers. The figure below shows the trace of the request and clearly identifies the “X-a: b” header used by the tool.
The Apache Web server sends requests to processing modules only once they are completed. As a consequence it is vulnerable to the attack as it doesn’t free active connections established by the attack tool. Apache security modules cannot be applied for the same reasons.
Once the attack is launched the target server holds open connections in state ESTABLISHED.
After a short amount of time the server becomes unreachable. This status lasts for the duration of the attack.
On Saturday, June 20th, the DARC provided Deny All customers with a workaround. This workaround, based on packet filtering and connection limit mechanisms, made it possible to prevent web sites from being impacted by this attack.
On June 26th, a patch was made available for all Deny All products. This patch has been publicly released today after one week of testing.
Therefore all Deny All customers can now be protected from this attack and any variant based on the same technique.
This is the first release of a patch for an Apache-based products against this attack.
As of today no official Apache native solution is available, as it requires heavy internal changes.
Thanks to the analysis performed by its research center, Deny All is the only editor which has released such solution for all its production platforms.