Slowloris

[RSnake] has developed a denial of service technique that can take down servers more effectively. Traditionally, performing a denial of service attack entailed sending thousands of requests to a server, these requests needlessly tie up resources until the server fails. This repetitive attack requires the requests to happen in quick succession, and is usually a distributed effort. However, [RSnake]’s new technique has a client open several HTTP sessions and keeps them open for as long as possible. Most servers are configured to handle only a set number of connections; the infinite sessions prevent legitimate requests from being handled, shutting down the site. This vulnerability is present on webservers that use threading, such as Apache.

A positive side effect of the hack is that the server does not crash, only the HTTP server is affected. His example perl implementation, slowloris, is able to take down an average website using only one computer. Once the attack stops, the website will come back online immediately.

Update: Reader [Motoma] sent in a python implementation of slowloris called pyloris

[photo: cutebreak]

Hackaday

1 Articles

Slowloris HTTP Denial Of Service

Search

Never miss a hack

If you missed it

Mining And Refining: Uranium And Plutonium

Programming Ada: First Steps On The Desktop

The Hunt For MH370 Goes On With Barnacles As A Lead

MXM: Powerful, Misused, Hackable

VCF East 2024 Was Bigger And Better Than Ever

Our Columns

Supercon 2023: Alex Lynd Explores MCUs In Infosec

FLOSS Weekly Episode 780: Zoneminder — Better Call Randal

Slicing And Dicing The Bits: CPU Design The Old Fashioned Way

Hackaday Links: April 21, 2024

The Long And The Short Of It

Search

Never miss a hack

Subscribe

If you missed it

Our Columns