A slow loris is a rather cute but slow-moving animal from Asia – and this mammal has a venomous bite. It has lent its name to a particularly toxic form of cyberattack: the slowloris DDoS attack.
DDoS stands for “Distributed Denial of Service” and “ordinary” DDoS attacks, while extremely disruptive, are comparatively easy to spot. That’s because they rely on a veritable flood of traffic that ultimately shuts out legitimate traffic.
A slow loris DDoS attack, on the other hand, is slow, steady, and stealthy. It’s achieved by sending partial HTTP requests to servers and keeping them open for as long as possible. Over time, these requests exhaust the server’s capacity and legitimate users are no longer able to make use of the service.
This subtle approach means that you won’t notice a bombardment of traffic as you would in a regular DDoS attack. True to its name, a slowloris attack moves slowly, draining the server’s capacity until it is no longer able to function and denial of service (DDoS) occurs.
What is the Purpose of DDoS Attacks?
You may, quite rightly, be wondering how denial of service can benefit an attacker. The most obvious reason is to hold the victim to ransom. In other words, demanding money to end the attack. However, there are other reasons why you might experience such an attack.
On occasion, rivals or competitors may try to shut your servers down so that they can take advantage of the downtime. More often, however, a DDoS attack acts as a distraction to hide other malicious activities like reconnaissance, data theft, or other forms of network infiltration while attention is focused elsewhere.
Who is Susceptible to a Slowloris Attack?
Like other forms of cyberattack, slowloris attacks exploit a weakness. In this instance, attackers exploit servers that are set to keep connections open while waiting for complete information.
Apache HTTP servers are particularly vulnerable, but they can be set up to resist this type of attack. Nginx presents a more difficult target, but will be susceptible if it is configured to allow persistent connections. Indeed, any HTTP server that’s configured to allow persistent connections is at risk.
How to Detect a Slowloris Attack
Because slowloris attacks don’t come with an abnormally high amount of traffic, they can be hard to spot. Typically, you will notice:
- Slowed performance. Pages load slowly or the server starts taking longer to respond.
- An increase in Internal Server Error or Server Unavailable responses showing that the server can no longer keep up with requests.
- Blocked or dropped connections. That is, connection requests result in a timeout or are refused.
- High server resource consumption without a significant increase in traffic.
- Many open, incomplete connections – the mechanism attackers use to cause denial of service.
- Web server logs that show many requests from a single IP address that are sent slowly or many sluggish requests from a small set of IP addresses.
How Common are Slowloris Attacks?
When servers are configured in such a way that they’re vulnerable, they’re easily targeted in slowloris attacks. And, in theory, just about anyone can launch a DDoS attack – no special skills are required.
That’s because, just as you buy legitimate software as a service, there are dark web marketplaces where it’s possible to buy DDoS as a service.
While slowloris DDoS attacks may sound less frightening than a brute-force bombardment of traffic, the ultimate result is the same. Servers are no longer able to function properly. And, since they are stealthier, slowloris attacks can be harder to spot and mitigate. This, and the fact that they can be launched with minimal resources, makes them relatively common.
What to Do if You Suspect a Slowloris Attack
If you suspect a slowloris attack, search for confirmation first. To do this, check CPU usage and search for multiple open, incomplete connections. Identify suspicious IP addresses and block them.
Now, it will be important to address the vulnerabilities that allowed the attack to occur in the first place. Set up the server to close connections more quickly when incomplete requests are detected. You can also adjust the rate limit so that multiple requests from a single IP address will be blocked.
Additional steps may include implementing load balancing and using reverse proxies that will filter out certain types of requests and implementing a web application firewall. Set up an automated monitoring tool that will alert you if suspicious activity begins again.
Because slowloris attacks are often used to mask other malicious activities that would otherwise be noticed, you aren’t entirely out of the woods after stopping the attack. Look for unusual outgoing traffic that might show that data has been compromised, check for suspicious login attempts, and search for malicious scripts.
Since slowloris denial of service attacks are so often used as a delaying tactic during much more extensive cyberattacks, getting a crack cybersecurity team to help you combat the threat is advised.
Prevention is Better Than Cure
Being proactive about cybersecurity is the most effective way to combat the growing range of cyber threats. Malicious actors are always looking for vulnerabilities to exploit, making it essential to take pre-emptive action. A comprehensive security audit is an excellent starting point. It helps identify weaknesses and lays the foundation for a robust cybersecurity strategy, reducing your risk of becoming an easy target.
However, as organisations ranging from government institutions to large tech enterprises have learned, even the most prepared can face attacks. This is why continuous monitoring is critical. Early detection of a cyberattack allows for rapid responses, minimising potential damage. With cybercrime being a 24/7 threat, round-the-clock monitoring is the best solution to ensure your systems remain secure.
At Advantex, we adopt a holistic approach to cybersecurity. This includes identifying and addressing vulnerabilities, training your staff to prioritise security, and monitoring your systems through our state-of-the-art Security Operations Centre (SOC). No organisation is too large or too small to be at risk, which is why we are committed to keeping you protected.
To further fortify your defences, we recommend Cisco Firepower Threat Defense (FTD) as a key line of defence. With advanced Intrusion Prevention System (IPS) capabilities, Cisco FTD is designed to detect and mitigate threats like slowloris attacks before they escalate. When combined with the proactive monitoring and expert analysis provided by Advantex’s 24/7 SOC, you gain a powerful shield against even the most sophisticated cyber threats.
Contact us today to learn more about how we can help secure your organisation and combat cybercrime together.
