 Case Study of Slowloris Ddos attack

 What is a Slowloris DDoS attack?

Slowloris is a denial-of-service attack program which allows an attacker to
overwhelm a targeted server by opening and maintaining many simultaneous
HTTP connections between the attacker and the target.

 How does a Slowloris attack work?

Slowloris is an application layer attack that exploits partial HTTP requests to
overload a targeted web server. Unlike bandwidth-heavy DDoS attacks, Slowloris
consumes minimal bandwidth while exhausting server resources by keeping
connections open for as long as possible. It's a "low and slow" attack, aiming to
overwhelm server threads with seemingly normal but deliberately delayed requests.
Once the server's capacity is exceeded, it stops responding to additional
connections, resulting in a denial-of-service situation.
The Slowloris attack overwhelms a web server by exploiting its handling of HTTP
connections. Here's a condensed explanation:
1. **Connection Initiation**: The attacker opens multiple connections to the server.
2. **Partial Requests**: Instead of complete HTTP requests, the attacker sends slow
and partial requests.
3. **Keep-Alive Header Usage**: Slowloris abuses the Keep-Alive header to keep
connections open without completing requests.
4. **Persistent Connections**: The attacker sends periodic headers to maintain
connections, tying up server resources.
5. **Resource Depletion**: With many open connections, the server exhausts
resources like threads, leading to unresponsiveness.
6. **Denial of Service**: Eventually, the server can't accept more connections,
denying service to legitimate users.
Slowloris is effective due to its low resource usage on the attacker's side and its
ability to evade detection, posing a significant threat to web servers.
  A Slowloris attack occurs in 4 steps:

1. The attacker first opens multiple connections to the targeted server by

sending multiple partial HTTP request headers.

2. The target opens a thread for each incoming request, with the intent of
closing the thread once the connection is completed. In order to be
efficient, if a connection takes too long, the server will timeout the
exceedingly long connection, freeing the thread up for the next request.

3. To prevent the target from timing out the connections, the attacker
periodically sends partial request headers to the target in order to keep
the request alive. In essence saying, “I’m still here! I’m just slow, please
wait for me.”

4. The targeted server is never able to release any of the open partial
connections while waiting for the termination of the request. Once all
available threads are in use, the server will be unable to respond to
additional requests made from regular traffic, resulting in denial-of-
service.

The key behind a Slowloris is its ability to cause a lot of trouble with very little
bandwidth consumption.

What is a Slowloris DDoS attack designed to

accomplish?
This type of DDoS attack is a simple but elegant method that allows an attacker to
take down a web server with very low complexity. Being able to identify them and
control the quality of mitigation is what makes this denial-of-service attack complex. A
Slowloris attack can be implemented with minimal bandwidth, is usually written in
Python, and has proven to be extremely effective against many types of web server
software, especially Apache 1.x and 2.x. These types of attacks were designed to look
like legitimate requests and bypass mitigation filters. Unlike bandwidth-consuming,
reflection-
Slowloris
Slowloris is a type of denial of service attack tool which allows a single machine to
take down another machine's web server with minimal bandwidth and side effects on
unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold
them open as long as possible. It accomplishes this by opening connections to the
target web server and sending a partial request. Periodically, it will send
subsequent HTTP headers, adding to, but never completing, the request. Affected
servers will keep these connections open, filling their maximum concurrent
connection pool, eventually denying additional connection attempts from clients.[1]
The program was named after slow lorises, a group of primates which are known for
their slow movement.
 Testing Slowloris on a Testing website
To check whether Python is installed on your system or not, you can use the
command prompt or terminal:

1. Open Command Prompt on Windows or Terminal on macOS/Linux.

2. Type the following command and press Enter:

python --version

python3 –version

3. Install slowloris in your device using this command in your terminal:

4.Check if slowloris in installed in device

5. Now download and install the XAMPP Control Panel server

Using this link : https://www.apachefriends.org/download.html

6. Now turn on Apache server using XAMPP:

7. Now perform Slowloris attack using a command in terminal

slowloris -s 1000 -p 8081 127.0.0.1

s = sockets , p = ports

8. Now the website is under Slowloris Ddos Attack

Refresh the page to see results: