Apache DoS Tool – First of a New Wave?

If you are familiar with security issues for Internet servers, you know what a Denial of Service (DoS) attack is, and that there is no absolute defense against DoS attacks.  There are plenty of ways to mitigate the risks.  With just a few mitigating tactics, the biggest threat that remains is usually from Distributed Denial of Service (DDoS) attacks, where it is a game of sheer numbers.

Wednesday, a tool was released that changes that for servers running Apache, Squid or any one of several other HTTP servers and proxies.  This tool is able to bring down these servers by forcing them to open a large number of processes and keep the connections open using only a minimal amount of bandwidth.  This means that an attacker with a low-bandwidth connection may be able to bring down a server on a much higher-bandwidth connection.  A distributed attack using this technique could be absolutely devastating, even to larger server farms.

The attack is very simple, much like many other DoS attacks.  Unfortunately, there are very few mitigation techniques known at this time, and like other DoS defenses, many of these techniques require balancing security and accessibility.  Looking at this attack, I can imagine small variations that could potentially affect any HTTP server.  I do not mean to cause alarm, but I strongly suspect we will see many more attacks like this one targeted at the major HTTP servers and able to bring down those servers with far fewer resources than attackers currently need to pull off a successful assault.  Similar attacks may also be possible against other types of servers, such as mail servers or remote administration servers.

If you are interested in testing against your own servers, you can find the tool at:

http://ha.ckers.org/slowloris/

More discussion can be found at the SANS Internet Storm Center:

http://isc.sans.org/diary.html?storyid=6601

http://isc.sans.org/diary.html?storyid=6613