Security company Qualys is offering a tool admins can use to work out how vulnerable their servers might be to simple but often hard-to-detect a types of DDoS attack that exploit vulnerabilities in the design of HTTP.
The work of engineer Sergey Shekyan, QualysGuard Web Application Scanner (WAS) can be used to detect vulnerability to one of two possible slow HTTP attacks, ‘Slowloris’ and Slow POST detection; the first opens a connection but delays completion and can be exploited using a circulating tool, while the second involves manipulating the content length header.
Both can slow attacked servers down to a crawl or even a stop.
Despite being fairly simple to pull off, these techniques are believed to have been behind some of the attacks carried out in recent times by groups such as LulzSec, notably one on the CIA in June. Earlier in the year, slow HTTP was also used to attack Wikileaks.
An unknown number of servers could be configured in a way that might allow these attacks to succeed but quickly assessing vulnerability can be difficult without causing the server in question some difficulty. WAS allows this to be done without taking the server down.
“These types of attack are easy to execute because a single machine is able to establish thousands of connections to a server and generate thousands of unfinished HTTP requests in a very short period of time using minimal bandwidth,” writes Shekyan.
One thing WAS does not do is to mitigate the attacks which will vary from server platform to platform. On Apache, the first line of defence is to set up IPtables to disallow large numbers of requests from one IP address but this is still only one of a number of possible avenues. Defending against these types of DDoS can still be difficult.