Network Defenders Must Be Prepared to Deal with Low and Slow Attacks, Especially As Attackers Develop More Sophisticated Attack Tools...
The first thing that comes in mind when hearing about another lethal denial-of-service attack is the volume of traffic that the attackers sent in order to take down the service, or to flood the network of the victim. However, recent attack trends reveal an emerging threat of DoS attacks by low and slow attack tools.
Low Bandwidth, Slow Attack
Low and slow attacks (sometime defined as “Low and silent”) are designed to exhaust the resources of the victim until its services are become unavailable and the service effectively halts. Unlike other denial of service attacks, low and slow techniques require very little resources from the attackers and it slowly occupies more and more resources on the victim machine until full exhaustion of the victim’s resources. For comparison, in order to perform a network flood DoS attack on online business an attacker needs to recruit several hundreds bot machines that simultaneously send a significant amount of traffic to overload the network resources of the victim. On the contrary, low and slow attacks can be activated from a single attacking computer, without additional bots and with limited amount of traffic, which looks legitimate in both terms of the protocol rules and rates, to exhaust the resources of the victim without effecting neighboring services.
A popular low and slow attack tool is the Slowloris, which holds HTTP connections open by sending partial HTTP requests. Slowloris continues to send subsequent headers at regular intervals to keep the connections from closing and to occupy the application stack (many threads) quickly in a state that wasn’t designed with enough memory. In this way, a web server can quickly reach to its maximum application stack capacity and it becomes unavailable for new connections by legitimate users. To effectively halt online service with Slowloris, the attacker is required to use only one computer with small amount of traffic.
Another popular low and slow attack tool is the R.U.D.Y (R U Dead Yet?) that exhausts web server’s by creating a long form field submissions (a POST attack). This is done by iteratively injects one custom byte into a web application post field and then a sleep period. The result in a very similar to the Slowloris effect as the application threads are stuck, occupied, with these one byte POST fragments.
Low and Slow Go Under the Radar
Low and slow attack tools manage to go under the radar of existing security solutions. The reason for that is that every packet of attack tools such as Slowloris and RUDY is legitimate and does not violate any network standard or security policy; however, the stream of those packets and their misuse behavior turns them into an attack that is very hard to detect using existing security solutions.
Resource Aware Detection
Security solutions that aspire to provide a sustainable, long term solution for low and slow attack techniques are required to become aware of the resources consumption of the servers they protect. An example of server resources that might be exploited by low and slow attacks are CPU, memory, connection tables, application states (virtual or real ones), application threads and more. Resource aware detection solutions must monitor all the time the resources allocation status and trends at the servers and to identify misuse of those resources. For example, long and relativity “idle” open network connections might imply that the server is under a connection table misuse attack. Also, an application that waits considerably long for the request to be completed (i.e., stuck in a process that was supposed to be completed quickly) might be under RUDY attack.
Current security solutions are challenged by low and slow attacks because they do not look into the server’s resources and they are not aware of the misuse of resources. One possible technique to overcome this challenge is to create a tighter integration between the protected server and the attack’s detector and to share resources utilization information directly from the servers. An alternative approach is to allow the attack’s detector to analyze the behavior of connections that are opened at the server and to “smartly” simulate the application stack resources without direct connection to the server themselves. With the proper behavior analysis technologies the misuse of the network and application resources can be identified with a very high accuracy. Once the activity is detected, it can be traced back to its origin and mitigated accordingly.
Whatever the resolution might be, it is clear that security solutions must develop new techniques to deal with low and slow attacks, because the ease of launching these attacks and their lethalness encourage hackers to develop more sophisticated low and slow attack tools and to encourage the use of these tools in attacks.
Related Reading: Hash Table Vulnerability Enables Wide-Scale DDoS Attacks