Can Your Web Server Be Toppled with a Single Command?

Denial of Service

Another well-known web server attack that this IPtables solution unfortunately won't mitigate is the once massively prevalent SlowLoris attack. When this nefarious piece of code first appeared on the Internet, it brought with it a frightening new proposition to systems administrators. Along the same vein as our Apache ab attack, the massively destructive tool SlowLoris (which, describes itself as "the low bandwidth, yet greedy and poisonous HTTP client") offers the attacker the means to topple a web server with one machine, using only a very small amount of bandwidth.

This is unusual in terms of other DoS attacks, which might consume the target machine's bandwidth resources completely (filling their connection to the Internet with unwanted traffic) The SlowLoris quandary appears to still be wholly unsolved, but I'm sure you'll be glad to know that there are at least some methods that you can introduce to mitigate its effects.

The first workaround, which won't work for a Distributed DoS attack (because such traffic originates from multiple IP addresses and not just one IP address), is to place a limit of the connections that a single IP address can use at any one time. Apparently (somewhat counter-intuitively) you can also achieve some benefits by making sure your visitors don't use too little bandwidth for each connection. Think along the lines of many thousands of peppered attack packets being sent to your server, and you should get the idea. Strangely, low-bandwidth connections from your visitors might not be welcome in this scenario (usually bandwidth is one of your most precious and treasured finite resources).

Another way of limiting the effects of such an attack is to lower the amount of time the IP address of a visitor can stay connected to the web server. Imagine a partial connection replicated thousands (or hundreds of thousands of times), leaving resources hanging and unavailable on your Apache server. If they timeout quicker, clearly your resources will be available sooner.

You'll find much more information on SlowLoris at the worryingly entitled website: http://ha.ckers.org/slowloris.

Conclusion

Readers in the know are aware of the vast number and varied types of Denial of Service (DoS) and Distributed DoS attacks in the wild on the Internet. Amongst those attacks are several specifically designed just to knock over web servers, so the life-saving solution of a smart IPtables configuration is not Apache's silver bullet. However, most would agree that this approach is generic enough to prevent a variety of traffic flooding attacks.

You can, of course, apply these rate-limiting rules to any port number on your server, but proceed with caution and don't lockout remote access by accident if you decide to experiment with the ruleset.

What I enjoy the most about solutions such as this one is their simplicity and their desirable efficacy. In this case, the ruleset makes for a lighter load on your servers without requiring you to spend a small fortune -- and you'll sleep better at night.

Related content

comments powered by Disqus