The Slowloris Attack: a bone of contention for enterprises
The proliferation of digital technology and deployment of online platforms is not only a harbinger of opportunities for businesses but also that of online crimes, frauds, data thefts, etc. Cybercriminals are increasingly using sophisticated tools and technologies to disrupt, damage and defame operations at will. The recent Slowloris outbreak is a case in point. A highly sophisticated DDoS (Distributed Denial of Service) attack, Slowloris is nearly undetectable with conventional tools and can be carried out using even a single computer. Hackers find it easier to mount such an attack and cause major challenges for enterprise cybersecurity.
How Slowloris works
Slowloris sends partial HTTP requests to a web server, but never completes the request. As a result, the server resources get choked up with no bandwidth to cater to legitimate requests. It can slow down a server or a website, and even make it inaccessible. For a business it could mean loss of revenue, and inability to serve customers. When a business faces such an attack, it is bound to lose customers’ trust in its cybersecurity abilities, and will also suffer loss of revenue caused by the downtime.
Slowloris attacks are highly successful against servers configured to keep connections open for long durations. It allows the attacker to benefit from the server’s resources being consumed over a long period. As a result, it can cause a complete server crash or forced shutdown to mitigate the attack. Typically, such attacks are a part of a wider cyberattack campaign and aimed at causing additional disruption and ensuring delays in response from cybersecurity teams. With increased digitization, Slowloris attacks are on the rise too.
Why Slowloris attacks are more dangerous than regular DDoS
Slowloris attacks do not focus on overwhelming the servers with high traffic volumes like a typical DDoS attack. This makes them remain undetected and the cybersecurity tools or teams don’t find anything unusual instantly. One can detect traditional DDoS attacks as they will get red flagged by WAFs or intrusion prevention systems. However, Slowloris attacks may not appear malicious to these tools and despite being steady overloaded with open connections, the server activity might appear normal. Thus, conventional cybersecurity measures prove to be inadequate against Slowloris DDoS attacks.
Recent DDoS attacks
DDoS attacks are one of the biggest forms of cyberattacks in India. Earlier, organizations as diverse from each other as CIA to Government of Iran, Russian Banks to GitHub have been targeted by frequent DDoS attacks. In fact, as per a report by Indusface, on a sample size of 1400 websites alone, 5 million DDoS requests were blocked every single day in November/December 2022.1 It is estimated that cloud-based digital infrastructure accounts for over 90% of the security issues. Considering that an average ransomware attack cost $312,493 in 2021, it is not difficult to understand why utmost attention has to be on cybersecurity and adherence of processes.2 What makes this more complicated is that unlike traditional hack attempts on application vulnerabilities, execution of DDoS attacks doesn’t require any special skill. For a few dollars, attackers can buy 1 hour DDoS as a service on the dark web.
Using reverse proxies – A reverse proxy is like a buffer between the server and the clients/users. It can monitor incoming requests and drop connections that resemble Slowloris attack traits.
Restricting number of connections per IP – Since Slowloris attacks are usually mounted through a single computer, they can be prevented by limiting the number of connections per IP. An advanced cloud-based WAF like Indusface AppTrana would enable this.
Reducing the maximum request duration – By not allowing the connections to be kept open for a long time, Slowloris attacks can be prevented. Indusface AppTrana, a conventional load balancer or setting timeout protocols can help here.
Setting rate limits – Limiting the number of connections and requests that can be made to the server, Slowloris attack’s impact can be mitigated. You can use a firewall, a load balancer or an intrusion prevention system to make it happen.
Regular system and software updates – There is nothing that invites cyberattacks more than outdated software or hardware. By using an advanced DAST Scanner such as Indusface WAS will enable the enterprises to detect all open vulnerabilities categorized by OWASP Top 10 and SANS 25, and manage those.
Using an advanced DDoS mitigation service like Indusface AppTrana
A specialized DDoS mitigation service will be able to offer adequate protection against DDoS attacks including the Slowloris attacks. Such a service offers bundled managed services such as custom rate limiting, traffic filtering, and traffic diversion to protect servers and networks from such attacks. Bundled managed services integrate expertise and experience of certified human security professionals with AI-driven technologies. Thus, they come across as customized, holistic and precise security solutions that act as per the risk profile and needs of a business.
Cyberattacks are inevitable and every modern enterprise operating in the digital space has either faced them already or is likely to be targeted. Instead of remaining oblivious to the threat or falsely believing that the business can escape the radar of cybercriminals, the best foot forward is to adopt a holistic DDoS mitigation tool or managed services. This would ensure that the business websites or apps would continue functioning 24×7 even if someone launches a Slowloris DDoS attack!
(The author is Mr. Venkatesh Sundar – Co-founder and CMO, Indusface, and the views expressed in this article are his own)