Https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf
Slowloris
Http://www.huffingtonpost.co.uk/-frontier/slow-loris_b_8541930.html
- slow: Adj. 1. Slow, slow (opp. fast; Qu ...
- Loris: N. (pl. loris) "Animal; zoology" lorises;
Consumes all the threads.
Change
HTTP headers to simulate multiple connections/browsers? Exhaust all threads available
HTTP POST DoS
No delay in sending HTTP Headers (! = Slowloris)? content-length = bytes? HTTP message body is sent 1 byte seconds till thelast byte? Require a good number of threads per each machine–<10k connections to bring down apache–~60k connections for IIS (if RA PID Fail Protection
is on)
HTTP Flooders/ddos attackmost Common L7 attack? Typically launched from botnets? Black Energy botnet C&c interface? frequencies, thread and command option Apachekey directives? MaxClients, timeout, KeepAlive and KeepAlive timeout? Traffic Shaping?mod_throttle-limit The frequency of requests allowed from asingle client within a window of Time?mod_bwsha Re-bandwidth throttling by HTTP client IP address?mod_limitipconn-limit The number of simultaneous downloadspermitted from A single IP address?mod_dosevasive-detects too many connections andtemporaribly block offending IP address?mod_security–
WAF, filtering, monitoring, Loggi
Web Server Low Bandth DOS attack