Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Network Security

The Need for Resource-Aware Mitigation Technology

Network Defenders Must Be Prepared to Deal with Low and Slow Attacks, Especially As Attackers Develop More Sophisticated Attack Tools…

Network Defenders Must Be Prepared to Deal with Low and Slow Attacks, Especially As Attackers Develop More Sophisticated Attack Tools…

The first thing that comes in mind when hearing about another lethal denial-of-service attack is the volume of traffic that the attackers sent in order to take down the service, or to flood the network of the victim. However, recent attack trends reveal an emerging threat of DoS attacks by low and slow attack tools.

Low Bandwidth, Slow Attack

DDoS AttacksLow and slow attacks (sometime defined as “Low and silent”) are designed to exhaust the resources of the victim until its services are become unavailable and the service effectively halts. Unlike other denial of service attacks, low and slow techniques require very little resources from the attackers and it slowly occupies more and more resources on the victim machine until full exhaustion of the victim’s resources. For comparison, in order to perform a network flood DoS attack on online business an attacker needs to recruit several hundreds bot machines that simultaneously send a significant amount of traffic to overload the network resources of the victim. On the contrary, low and slow attacks can be activated from a single attacking computer, without additional bots and with limited amount of traffic, which looks legitimate in both terms of the protocol rules and rates, to exhaust the resources of the victim without effecting neighboring services.

A popular low and slow attack tool is the Slowloris, which holds HTTP connections open by sending partial HTTP requests. Slowloris continues to send subsequent headers at regular intervals to keep the connections from closing and to occupy the application stack (many threads) quickly in a state that wasn’t designed with enough memory. In this way, a web server can quickly reach to its maximum application stack capacity and it becomes unavailable for new connections by legitimate users. To effectively halt online service with Slowloris, the attacker is required to use only one computer with small amount of traffic.

Another popular low and slow attack tool is the R.U.D.Y (R U Dead Yet?) that exhausts web server’s by creating a long form field submissions (a POST attack). This is done by iteratively injects one custom byte into a web application post field and then a sleep period. The result in a very similar to the Slowloris effect as the application threads are stuck, occupied, with these one byte POST fragments.

Low and Slow Go Under the Radar

Low and slow attack tools manage to go under the radar of existing security solutions. The reason for that is that every packet of attack tools such as Slowloris and RUDY is legitimate and does not violate any network standard or security policy; however, the stream of those packets and their misuse behavior turns them into an attack that is very hard to detect using existing security solutions.

Advertisement. Scroll to continue reading.

Resource Aware Detection

Security solutions that aspire to provide a sustainable, long term solution for low and slow attack techniques are required to become aware of the resources consumption of the servers they protect. An example of server resources that might be exploited by low and slow attacks are CPU, memory, connection tables, application states (virtual or real ones), application threads and more. Resource aware detection solutions must monitor all the time the resources allocation status and trends at the servers and to identify misuse of those resources. For example, long and relativity “idle” open network connections might imply that the server is under a connection table misuse attack. Also, an application that waits considerably long for the request to be completed (i.e., stuck in a process that was supposed to be completed quickly) might be under RUDY attack.

Current security solutions are challenged by low and slow attacks because they do not look into the server’s resources and they are not aware of the misuse of resources. One possible technique to overcome this challenge is to create a tighter integration between the protected server and the attack’s detector and to share resources utilization information directly from the servers. An alternative approach is to allow the attack’s detector to analyze the behavior of connections that are opened at the server and to “smartly” simulate the application stack resources without direct connection to the server themselves. With the proper behavior analysis technologies the misuse of the network and application resources can be identified with a very high accuracy. Once the activity is detected, it can be traced back to its origin and mitigated accordingly.

Whatever the resolution might be, it is clear that security solutions must develop new techniques to deal with low and slow attacks, because the ease of launching these attacks and their lethalness encourage hackers to develop more sophisticated low and slow attack tools and to encourage the use of these tools in attacks.

Related Reading: Hash Table Vulnerability Enables Wide-Scale DDoS Attacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...