Web - Resource Exhaustion Attacks
Download as PPTX, PDF0 likes216 views
Web servers and applications are vulnerable to slow denial of service (DoS) attacks that exhaust resources by opening many partial connections. These include slow header attacks that slowly send HTTP headers, slow POST attacks that slowly send HTTP post bodies, and slow read attacks that slowly read large responses. Tools used for these attacks include Slowloris, R-U-Dead-Yet (RUDY), and Slowhttptest. Web servers and web application firewalls can mitigate slow DoS attacks by setting limits on connections, bandwidth, request body sizes, and timeout thresholds.
Web - Resource Exhaustion Attacks
- 1. Web Resource Exhaustion Slow DoS Attacks
- 2. Resource Exhaustion – Slow DOS Attacks Goal of Attacker: • Exhaust pool of available TCP connections on server so that no new legitimate connections can be established Types of Attacks: • Slow Header Attacks • Slow POST Attacks • Slow Read Attacks
- 3. Slow Header Attacks Sends HTTP headers very slowly and never completes the header send process.
- 4. Slow Header Attacks Tools • Slowloris (Pyloris, QSlowloris) • OWASP HTTP Post Tool • Slowhttptest Who is Affected? • Any server that does not have HTTP header timeouts (notably Apache 1.x/2.x) How to Mitigate • Web server settings (max conns, conns/IP, min bps/conn, max total transfer time) • Switch to non-affected web server (ex: IIS) • Reverse proxy / SLB device • CDNs – CDN edge nodes usually do not take action until all headers are read
- 5. Slow POST Attacks Sends HTTP POST body very slowly and never completes the POST body process.
- 6. Slow POST Attacks Tools • R-U-Dead-Yet (RUDY) • OWASP HTTP Post Tool • Slowhttptest Who is Affected? • Any site that has forms (login, comments, feedback, etc.) and accepts HTTP POSTs How to Mitigate • Set max POST body size of each form • Web server settings (max conns, conns/IP, min bps/conn, max total transfer time) • WAF
- 7. WAF – Slow POST Additional Details Inspection Buffer • Usually up to 8KB by default is inspected • If POST is larger than configured buffer, overrun content is uninspected and unmeasured Best Practices • Increase buffer size if larger than 8KB POSTs are expected • Set max POST body size so that larger POSTs will be denied Note: If max body size < buffer size then all content will be inspected
- 8. Slow Read Attacks Keeps server sockets busy by throttling down the receipt of large HTTP responses.
- 9. Slow Read Attacks Tools • Slowhttptest • Nkiller2 • Sockstress Who is Affected? • Any TCP-based application How to Mitigate • Web server settings (max conns, conns/IP, min bps/conn, max total transfer time) • WAF
- 10. Resources • https://www.owasp.org/images/a/a6/Owasp_KS_slowDoS.pdf • http://media.blackhat.com/bh-dc- 11/Brennan/BlackHat_DC_2011_Brennan_Denial_Service- Slides.pdf • http://vimeo.com/7618090 (Defcon Slowloris video) • http://blog.spiderlabs.com/2011/07/advanced-topic-of-the- week-mitigating-slow-http-dos-attacks.html • https://en.wikipedia.org/wiki/Slowloris • https://community.qualys.com/blogs/securitylabs/2012/01/05/ slow-read