A screenshot of mod_status on Apache under attack taken from Shekyan's blog post
(WEB HOST INDUSTRY REVIEW) — A software engineer has created a new HTTP denial-of-service attack that is harder to detect since it relies on prolonging the time clients need to read web server responses, according to a report by InfoWorld.
Qualys senior software engineer Sergey Shekyan says his method, Slow Read DOS, is based on previous research, but works by slowing down the server’s response. One of the previous tools that his is based on, Slowloris, slows down HTTP requests in order to prevent it from serving legitimate clients.
“The idea of the attack I implemented is pretty simple: Bypass policies that filter slow-deciding customers, send a legitimate HTTP request and read the response slowly, aiming to keep as many connections as possible active,” Shekyan writes in a blog post on the Qualys website.
The size of the server’s response has to be larger than what its send buffer can hold, according to the report, and the server’s send buffer has to be full for a long period to keep the connections active.
Shekyan implemented his attack into the latest version of showhttptest, an open source slow DoS test application developed at Qualys, InfoWorld says.
HTTP servers like Apache, nginx, lighttpd and IIS 7.5 are vulnerable to Shekyan’s attack in their default settings, but some have built-in protection that can be turned on.
In a post on Friday, Trustwave SpiderLabs blog offered a mitigation solution to Shekyan’s attack called SecWriteStateLimit that places a limit on the concurrent number of threads in a SERVER_BUSY_WRITE state. If the threshold is met, then new threads over the limit will be terminated.
“It is rather serendipitous as I actually had the same attack scenario in mind for some time but never got around to develop working exploit code,” senior security researcher for SpiderLabs Ryan Barnett said in the post. “So a hat tip to Sergey Shekyan as we have seen in the security space that theoretical exploits fall on deaf ears and that you need working proof of concept code to get people to listen.”
About Nicole Henderson
Nicole Henderson writes full-time for the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto, and has been writing for the WHIR since September 2010. You can find her on Twitter @NicoleHenderson.
No related posts.
