A slow HTTP DoS attack takes advantage of this by never sending a finishing blank line to complete the HTTP header.
The HTTP protocol defines a blank line as the completion of a header. Similar to text editors, an HTTP request uses a at the end of a line to start a fresh line and two sequences to denote a blank line. The CRLF ( Carriage Return + Line Feed) is a sequence of non-printable characters that is used to denote the end of a line. User-Agent: Mozilla/5.0 (Windows NT 6.1 WOW64) AppleWebKit/537.36 (KHTML, like Gecko) A complete HTTP GET request resembles the following: GET /index.php HTTP/1.1 How it worksĪn analysis of an HTTP GET request helps further explain how and why a slow HTTP DoS attack is possible.
This breed of DoS attack is different from other DoS/DDoS attacks such as SYN flood attacks, which misuse the TCP SYN (synchronization) segment during a TCP three-way handshake. This technique lets an attacker consume server resources and restrict access using very little bandwidth. Naturally, if an attacker occupies all available HTTP connections for a web server and keeps them busy waiting, legitimate connections cannot be processed by the server and this causes a denial of service. If the attacker keeps every HTTP request open and feeds the server bogus data before the timeout is reached, the HTTP connection will remain open until the attacker closes it. In a slow HTTP POST attack, the attacker declares a large amount of data to be sent in an HTTP POST request and then sends it very slowly.Ī malicious user can open many connections to the server by initiating HTTP requests but not closing them.
A variation of this vulnerability is the slow HTTP POST vulnerability. It takes advantage of a vulnerability in thread-based web servers, which wait for entire HTTP headers to be received before releasing the open connection. A slow HTTP Denial of Service attack (DoS), otherwise referred to as the Slowloris HTTP attack, makes use of HTTP GET requests to occupy all available HTTP connections permitted by a web server.