New Slow Motion DoS Attack with Little Fear of Detection

January 9, 2012, By Sanjeev Ramachandran

Now there is another form of the well known DoS attack. This one could be used to essentially shut down websites from a single computer with little fear of detection.

It was Qualsys Security Labs researcher Sergey Shekyan, who brought this to light by creating a proof-of-concept tool. The attack exploits the nature of the Internet’s Transmission Control Protocol (TCP), forcing the target server to keep a network connection open by performing a slow read of the server’s responses.

Slow Read sends a full request to the server, and then holds up the server’s response by reading it very slowly from the buffer. Using a known vulnerability in the TCP protocol, by which a malicious receiver can cause a sender to consume resources by advertising a zero receive window and acknowledging probes, preventing the targeted service or system from handling legitimate connections.

The attacker could use TCP’s window size field, which controls the flow of data, to slow the transmission to a crawl. The server will keep polling the connection to see if the attacker is ready for more data, clogging up memory with unsent data.

A number of simultaneous attacks of this nature would leave the server with no resources to connect to legitimate users. The Slow Read attack, which is now part of Shekyan’s open-source slowhttptest tool, is different from the previous slow attacks such as the infamous Slowloris, which clogs up Web servers’ network ports by making partial HTTP requests, continuing to send pieces of a page request at intervals to prevent the connection from being dropped by the Web server.

Shekyan said this type of attack could be prevented by setting up rules in the Web server’s configuration that refuse connections from clients with abnormally small data window settings, and limiting the lifetime of an individual request.

© 2008-2012 - All rights reserved | Privacy Policy