Slowloris is a tool that enables a single machine to execute a denial-of-service (DoS) attack against web servers. Slowloris generates partial HTTP requests (sometimes adding new dummy headers to avoid inactivity timeouts) to occupy all of a web server's connection slots. This prevents legitimate requests from being processed. Another variant of the attack instead initializes TLS connections very slowly in order to accomplish the same goal.
Slowloris uses minimal network bandwidth to efficiently carry out attacks, letting attackers orchestrate them much more easily and cheaply than other types of DoS and distributed denial-of-service (DDoS) attacks. A slowloris attack is fairly simple to perform and thus doesn’t require much coding skill or resources on the attacking computer to carry out.
Slowloris takes advantage of a longstanding vulnerability within the HTTP protocol. It became a well-known topic in cybersecurity throughout the 2009 Iranian presidential election, during which state actors were repeatedly targeted by slowloris attacks.
Historically, slowloris has proven highly effective against Apache server architectures. An estimated 28.4% of active websites (per W3Techs) run on Apache, highlighting just how vulnerable a significant portion of web applications are. However, other types of servers—and especially those running older software versions—are potentially impacted (notably IIS 6).
How does a slowloris attack work?
Slowloris' odd-sounding name actually comes from mother nature. Like the notoriously sluggish slow loris primate native to southeast Asia, the program works by sending numerous HTTP headers simultaneously at a snail's pace. These requests are never fully completed and can’t be processed on the backend, but they do consume web server resources.
This process requires the attacker's machine to open a high volume of persistent connections with the web server. HTTP request headers are sent periodically to maintain those connections, but since an HTTP request can have an almost unlimited number of headers (depending on if the web server limits them) a single connection can remain open for as long as the attacker desires. The slowloris attack will fail if large traffic gaps allow the server to close active threads via inactivity timeouts—subsequently closing those troublesome connections.
A slowloris attack will exhaust a server's connection pool over time. While the attacker's machine can maintain an indefinite conversation with the web server, the server doesn't have the same capability. With no capacity remaining to serve legitimate requests, the server will reject incoming requests from other clients or crash outright.
Slowloris attacks are highly effective and highly difficult to spot due to their small footprint. And because each request is structured properly despite not being completed, many security measures won't flag these traffic profiles as suspicious. The client or network simply appears to be slow as opposed to malicious.
Does HAProxy help mitigate slowloris attacks?
Yes! HAProxy has a timeout http-request setting which can limit how long a client can take to complete a full request, on top of rate limiting rules to prevent the attacker from making more. Since HAProxy only sends a request to the backend once it's received in its entirety, backends behind HAProxy won’t receive this attack traffic.
Rate limiting and reverse proxying are some primary countermeasures available against slowloris attacks. HAProxy is also designed to use as little CPU and memory as possible to handle ongoing connections—preventing individual clients from sending too many requests too frequently.
As the world's fastest application delivery and security platform, HAProxy One bolsters rate limiting with stick table functionality and other multi-layered security features that can detect anomalous behavior to prevent suspicious traffic from reaching your servers. HAProxy Fusion's Native Statistics and new Access Logs dashboards let you view and act on IP activity data to stop slowloris in its tracks.
To learn more about HAProxy and slowloris, check out our Application-Layer DDoS Attack Protection With HAProxy blog post or our Global Profiling Engine documentation.
