Professional Documents
Culture Documents
HTTP
Denial-of-Service
About Hybrid
Creating web-business-logic security
Doing cool stuff in AI research
Optimizing acceptance rate for Web-bound
transactions
Minimizing false rejects typical to signature-based
solutions
SlowLoris
According to HTTP RFC 2616:
Request
= Request-Line
*(( general-header
| request-header
| entity-header ) CRLF)
CRLF
[ message-body ]
SlowLoris
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b
SlowLoris
DEMO
SlowLoris Mitigation
Patching Apache
Use Apache Patch
to moderate average timeout thresholds
(Link at end of presentation)
According to SpiderLabs:
ModSecurity >=2.5.13
Add directive: SecReadStateLimit 5
Then ModSecurity Alerts like this:
[Mon Nov 22 17:44:46 2010] [warn]
ModSecurity: Access denied with code 400.
Too many connections [6] of 5 allowed in READ
state from 211.144.112.20 Possible DoS Consumption Attack [Rejected]
R-U-D-Y
Vulnerability
POST
http://victim.com/
discovered by Tom Brennan
Host:Wong
and
victim.com
Onn Chee:
Connection:
keep-alive
http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
username=AAAAAAAAAAAAAAAAAAAAAAAAA
R-U-D-Y
DEMO
R-U-D-Y Mitigation
Add directive: RequestReadTimeout body=30
Add a rule:
SecRule RESPONSE_STATUS "@streq 408 \
"phase:5,t:none,nolog,pass, \
setvar:ip.slow_dos_counter=+1,expirevar:ip. \
slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5 \
"phase:1,t:none,log,drop, \
msg:'Client Connection Dropped due to high \
# of slow DoS alerts'"
Future
Research
Use a protocol fuzzer such as
PEACH or SPIKE to explore the entropy of
HTTP RFC-compliant input
Use nested and/or broken data structures to
detect server-side zombie behavior
If we knew what it was we were doing,
it would not be called research, would it?
(Albert Einstein)
Reference
SlowLoris:
http://ha.ckers.org/slowloris/
Anti-SlowLoris Patch:
http://synflood.at/tmp/anti-slowloris.diff
Mitigation with ModSecurity:
http://blog.spiderlabs.com/2010/11/advancedtopic-of-the-week-mitigating-slow-http-dosattacks.html
R.U.D.Y:
http://hybridsec.com/tools/rudy/
Chapters In Web Security:
http://chaptersinwebsecurity.blogspot.com
Thank You
raviv@hybridsec.com