How can I detect Slowloris?

Slowloris attacks work by sending request data as slow as possible. Therefore, if you could measure the bandwidth use per ip address then if it's below some threshold, (found by measuring the bandwidth in a known slowloris attack) then you know you are under attack.

To prevent attacks, I'd suggest switching your webserver software. I use cherokee which is resistant in it's default configuration. I can't ascertain whether nginx is vulnerable, but lighttpd is. I also can't be sure that using a resistant webserver as a proxy will make any difference.

Here's more information: http://ha.ckers.org/blog/20090617/slowloris-http-dos/


Level 1 : simple slowloris DOS


To find the ip address of the slowloris attacker I use the following command line :

netstat -ntu -4 -6 |  awk '/^tcp/{ print $5 }' | sed -r 's/:[0-9]+$//' |  sort | uniq -c | sort -n

This will give you the number of active connections for each connected IP

If you are under a simple DOS attack, a kiddie with one or a few IPs , the one with 50-100 connections ( or more ) is most probably a slowloris attacker you can drop.

This is to detect and drop( with iptables or your preferred hlfw ) them "real time" if you are connected on the server during the attack.

Adding the processing time ( %D or %T argument ) in your apache logs can also probably help to detect slowloris attacks "postmortem" by analysing the logs, if you dont have this info in your logs, you wont be able to find anything interesting. See http://httpd.apache.org/docs/current/mod/mod_log_config.html for the log config.

Level 2 : real big slowloris DDOS


netstat ( use watch netstat for refresh ) can still help you see that some IPs are just always connected

To fight slowloris, on apache, install the reqtimeout modules and set it up, example :

http://pastebin.com/3BNNwfyb

After that, every 408 you see in access_log is 99.999% sure a slowloris attacker ip.

Using the reqtimeout apache module, you can easily stand up against thousands of ips and thousands packets/second on a decent dedicated server

Iptables can also help a little with something like :

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j DROP