Slow connection attack

Attack, the first response is a huge amount of traffic, a huge amount of messages. But there is a kind of attack but the opposite, is known as slow, so that some attack targets were killed did not know how to die, this is a slow connection attack.

Slowhttptest is a slow attack on the server test software, including several attack methods, such as Slowloris, Slowhttp POST, Slow Read attack and so on.

All in all, the tool works by trying to get the server to wait, consuming resources when the server is waiting for the connection to be maintained.

1, the most representative is Rsnake invented the Slowloris, also known as slow headers.

"Principle of attack"

The HTTP protocol specifies that the HTTP request ends with \r\n\r\n (0D0A0D0A) and the client sends the end, and the server begins processing. So, what happens if you never send \r\n\r\n. Slowloris is using this to do DDoS attacks. An attacker setting connection to keep-alive in the HTTP request header requires Web server to keep the TCP connection from disconnecting, and then slowly sends a Key-value formatted data to the server, such as a:b\r\n, every few minutes. Causes the server to assume that the HTTP header is not receiving completion and waits. If an attacker uses multithreading or a puppet machine to do the same thing, the server's Web container is quickly filled with TCP connections and no longer accepting new requests.

"Tools Demo"

Use Wireshark to grab a packet to see the HTTP request header has a random key-value key value pair, as shown in the red circle below, and the HTTP request header end is incomplete, is "0d 0a"

If the HTTP request header is normal and the end is "0d0a 0d 0a", the normal end client request is shown in the following figure

2, Slowloris variant--slow HTTP POST, also known as Slow body.  

"Principle of attack"

In the post submission mode, Content-length is allowed to be declared in the header of HTTP, which is the length of the post content.

After the header is submitted, the body part of the back is stuck, then the server after receiving the post length, will wait for the client to send post content, the attacker remains connected and at the speed of 10s-100s a byte to send, to achieve the effect of consumption of resources, Therefore, the constant increase of such links, will make the resources of the server is consumed, the last possible downtime.

"Tools Demo"

With the Wireshark grab bag you can see that the header end is normal "0d 0a 0d 0a", but the Content-length field is set to a very large value of 8192, Instead of sending complete post data in a package, a random key-value key-value pair is sent at 100 seconds each interval.

3. Slow Read attack

"Principle of attack"

By adjusting the size of the sliding window in the TCP protocol, the server can control the size of a single-send data, so that the server needs to send a response into a number of packets. To make this attack more obvious, ask for as much resources as possible.

"Tools Demo"

With Wireshark, the client windowssize is deliberately set to 1152 bytes when the a.wmv resource is requested (more than 9M in size). After the client buffers are filled with data from the server, a [TCP Zerowindow] Alarm is issued, forcing the service side to wait.

The server can no longer be accessed after the various slow-speed attacks