Slow DOS Attack: Why It Is Dangerous and How to Detect Using a SIEM

Sujay Mendon
By Sujay Mendon

January 19, 2016

slow dos image

The incidence of Slow HTTP Denial of Service Attacks, otherwise known simply as Slow DOS attacks, is on the rise. Attackers using this method use HTTP GET requests to encroach the HTTP connections allowed on a server, preventing other users from accessing and given the attackers an opportunity to open up multiple connections on the same server. Slow DOS attacks are trickier to deal with as they don’t require many resources or planning. The attacker can launch the attack using just one system and sending 4 to 5 HTTP requests, unlike DOS or Distributed DOS attacks.

Without a doubt, a slow DOS attack is a potential threat for your server and one that you have to keep an eye out for. The first step is to understand how this type of attack works and the effects it can have on your server.

Also, check out how a Managed Detection and Response (MDR) service uses Artificial Intelligence (AI) techniques and machine learning to provide high speed cyber defense

How Slow DOS Attacks Work

When planning to launch an attack, the attackers look for potential gaps in the security protocol through which it can access the service. When it comes to thread-based web servers, there is an inherent fault, i.e. a connection is only released once it receives entire HTTP headers. This creates a vulnerability which attackers have been exploiting through slow DOS attacks. Apache servers have a timeout in place but even that is reset once additional data is sent over the network. This invalidates the purpose of the timeout, which is to allow time for the HTTP headers to be completed.

In this scenario, an attacker can penetrate the system by launching an HTTP request. However, the request will not be closed. This gives the attacker the chance to create multiple connections on the same server, as the server continues receiving bogus data from the attacker during the timeout period. Also, the HTTP connection stays open, allowing the attacker to occupy each and every connection available on that particular web server. This means that if any genuine user wants to access the server, they won’t be able to.

This is why this type is called a ‘Denial of Service’ attack, as the service is denied to real users. The attacker can work this attack using a low bandwidth, but still be able to limit access to the server for anyone else. This method of denying access is what sets Slow DOS attacks from other types of DOS attacks, such as SYN flood, where the TCP synchronization segment is tampered with while a three-way TCP handshake is being made.

The Effects

As mentioned, genuine users of a web server are denied service once an attack has been launched and all the HTTP connections occupied. But this is just one of the ways Slow DOS attacks impact web servers. The more significant aspect of this is the loss of revenue and negative impact on the bottom-line. Clients are unlikely to trust you if they are unable to access the server and retrieve the data they need. This means the profitability of your business will take a turn for the worse.

Not to mention, these types of attacks are typically hard to detect, particularly over DDoS and DoS. It is quite possible that the attack is discovered some time after the damage is done. Thwarting the attack and reclaiming your connections will mean significant downtime for your website, which results in further loss of revenue, and again, the client experience will be affected. This means loss of business and loss of customers in the future. So, as you can see, it is important for you to keep an eye out for slow DOS attacks.

Types of Slow DOS Attacks

Via Slow HTTP Headers

In this type of attack, the attacker reduces the pace at which the partial HTTP headers are sent. The pace is generally slower than the idle timeout value for that particular server. The HTTP request is not completed, and the headers are sent at intervals short enough to prevent the sockets from closing down. This means that the resources of the server remain occupied and once the timeout period is completed, all the available connections are occupied by the attacker.

Via Slow HTTP Post

In this type of attack, the attacker uses HTTP posts. The posts are made into the Form fields, where the attacker inputs data to initiate a request. In the request, the attacker mentions the amount of data the server can expect from the attacker. The attacker then proceeds to enter the data into the Form fields, but at a slow pace, in order to keep the resources on the server occupied. The server expects more data to be entered, which keeps it busy. There comes a point at which the server no longer has available resources as all existing resources have been taken over by the attacker.

The Potential Concerns

There are some potential concerns you should be familiar with regarding slow DOS attacks, including:

  • It is difficult to distinguish the bogus connections from the genuine connections you get from valid users
  • The conventional rate detection techniques aren’t capable enough to detect these attacks and thwart them before all the connections are occupied
  • Regardless of how strong and solid your web server is, a slow DOS attack can bring it down completely
  • A single system is enough for launching a coordinated slow DOS attack
  • The attacker doesn’t need a high bandwidth connection and the resources required for executing the attack are limited as well.

These are some of the potential concerns you should be aware of when it comes to slow DOS attacks. You need to find a way to nip these attacks in the bud, which we have figured out.

Detecting Slow DoS Attack via Slow HTTP Headers

Log Sources – Web Server – Apache (1.x & 2.x), dhttpd, Goahead and other Web Servers

Event Condition

Get the web server timeout – 300 seconds is default for Apache

If single [CRLF] tags are sent in headers and the time gap between two requests is less than 300 seconds, raise an alert

Note: Change the timeout as per the web server configuration. This may differ from application to application.

Description -

Normal Get Header

Normal Get Header

Normal Get Header containing CRLF tag but not Slow Dos Attack

Normal Get Header containing CRLF tag but not Slow Dos Attack

Here, this will not result in Slow Dos because 2 CRLF at the end denote the header part is complete and server need not wait anymore

Slow Dos Header

Slow Dos Header

Here, this will result in Slow Dos because of the presence of single CRLF tag at the end denoting the header is incomplete and server needs to wait for the complete header.

Tags: blog, How to protect from DOS attack, SIEM DOS attack, Dos attack, DOS attack Detection, DOS protection, slow Dos attack


Sujay Mendon

Sujay Mendon leads a team of cyber security researchers in Paladion's SOC services that actively hunt for vulnerabilities and threats in the global threat landscape. His team often lurks in the dark allies of the virtual world to discover the latest malware, malicious software, hacking methodologies, and ways to detect these attacks before the damage is done. Analysts receive the latest threat intelligence derived from this research, which helps them better respond to security events and alerts. When Sujay is not busy helping his team navigate the hot beds of cybercrime, he is seen imparting his knowledge to security geeks in various security forums and communities.