Usually when you think about Denial of Service attacks nowadays, most people think up images of the Anonymous kids running their copy of LOIC in a hivemind or Russian Gangsters building a botnet to run an online protection racket. Now there is a new-ish type of attack technique floating around which I believe will become more important over the next year or two: the slow http attacks.
How Slow DOS Works
Webservers run an interesting version of process management. When you start an Apache server, it starts a master process that spawns a number of listener processes (or threads) as defined by StartServers (5-10 is a good starting number). Each listener serves a number of requests, defined by MaxRequestsPerChild (1000 is a good number here), and then dies to be replaced by another process/thread by the master server. This is done so that if there are any applications that leak memory, they won’t hang. As more requests are received, more processes/threads are spawned up to the MaxClients setting. MaxClients is designed to throttle the number of processes so that Apache doesn’t forkbomb and the OS become unmanageable because it’s thrashing to swap. There are also some rules for weaning off idle processes but those are immaterial to what we’re trying to do today.
What happens in a slow DOS is that the attack tools sends an HTTP request that never finishes. As a result, each listener process never finishes its quota of MaxRequestsPerChild so that it can die. By sending a small amount of never-complete requests, Apache gladly spawns new processes/threads up to MaxClients at which point it fails to answer requests and the site is DOS’ed. The higher the rate of listener process turnover, the faster the server stops answering requests. For a poorly tuned webserver configuration with MaxClients set too high, the server starts thrashing to swap before it hits MaxClients and to top it off, the server is unresponsive even to ssh connections and needs a hard boot.
The beauty of this is that the theoretical minimum number of requests to make a server hang for a well-tuned Apache is equal to MaxClients. This attack can also take out web boundary devices: reverse proxies, Web Application Firewalls, Load Balancers, Content Switches, and anything else that receives HTTP(S).
Post photo by Salim Virji.
Advantages to Slow DOS Attacks
There are a couple of reasons why slow DOS tools are getting research and development this year and I see them growing in popularity.
- Speed and Simplicity: Slow DOS attacks are quick to take down a server. One attacker can take down a website without trying to build a botnet or cooordinate attack times and targets with 3000 college students and young professionals.
- TOR: With volume-based attacks like the Low Orbit Ion Cannon, it doesn’t make sense to route attack traffic through TOR. TOR adds latency, throttles the amount of requests that the attacker can send, and might eventually fail before the target’s network does. Using TOR keeps the defender from tracking you back to your real location.
- Server Logging: Because the request is never completed, most servers don’t make a log. This makes it very hard to detect or troubleshoot which means it takes longer to mitigate. I’m interested in exceptions if you know specifics on which webserver/tool combinations make webtraffic logs.
- IDS Evasion: Most DOS tools are volume-based attack. There are IDS rules to detect these: usually by counting the number of TCP SYN traffic coming from each IP address in a particular span of time and flagging the traffic when a threshold is exceeded. By using a slow DOS tool that sends requests via SSL, IDS has no idea that you’re sending it slow DOS traffic.
- Stay out of the “Crowbar Hotel”: Use the Ion Cannon, make logs on the target system, go to jail. Use slow DOS with TOR and SSL, leave less traces, avoid having friends that will trade you for a pack of cigarettes.
This part is fun, and by that I mean “it sucks”. There are some things that help, but there isn’t a single solution that makes the problem go away.
- Know how to detect it. This is the hard one. What you’re looking for is Apache spawned out to MaxClients but not logging a comparative volume of traffic. IE, the servers are hung up waiting for that one last request to finish and shucking all other requests.
- “ps aux | grep apache2 | grep start | wc -l” is equal to MaxClients +2.
- Your webserver isn’t logging the normal amount of requests. Use some grep-foo and “wc -l” to compare traffic from: a month ago, a day ago, an hour ago, and the last 5 minutes.
- Disable POST as a method if you don’t need it. Some of the more advanced techniques rely on the fact that POST can contain more headers and more body data.
- Use an astronomically high number of servers. If your server processes can timeout and respawn faster than the slow DOS can hang them, you win. If you had maybe 3000 servers, you wouldn’t have to worry about this. Don’t have 3000 servers, I might have some you could use.
- Set a lower connection timeout. Something like 15-30 seconds will keep Apache humming along.
- Limit the request size. 1500 bytes is pretty small, 3K is a pretty good value to set. Note that this needs testing, it will break some things.
- Block TOR exit nodes before the traffic reaches your webservers (IE, at layer 3/4). TOR has a list of these.