Security specialist Robert Hansen (aka RSnake) has released a tool that can disable even large web servers using a standard PC. The tool, called "Slowloris" does not exploit security vulnerabilities but instead works by using a feature in the HTTP protocol known as partial HTTP requests.
The HTTP protocol allows clients to split the data from a GET or POST request over a number of HTTP queries; depending on the server configuration, the first such request can cause the server to allocate a large amount of resources for the response while waiting for the rest of the request. The web servers that are vulerable to this type of attack are those that implement strategies to avoid system overloads by, for example, limiting the number of simulataneous HTTP queries. These include Apache HTTP server, DHTTPD, GoAhead Web Server and Squid, but not Microsoft IIS or Light HTTPd. The basic concept behind this new attack is similar to the half-open TCP connections attacks that have been seen in the past, except that this attack generally only affects the HTTP component of the server and other services are largely unaffected.
There are a number of ways to defend against this attack; web servers could be protected using load balancers and web application firewalls that only forward complete HTTP requests to the server or the reducing the time out for HTTP requests.
No comments:
Post a Comment