dark mode light mode Search Menu
Search

Slow Loris

Vladimir Buynevich on Flickr

A slow loris is a tiny, fuzzy primate with adorable giant eyes — and venomous saliva! Like its namesake, the Slowloris attack is slow and sneaky, with a nasty bite. It’s one of many kinds of denial-of-service (DoS) attacks.

WHAT’S A DENIAL-OF-SERVICE ATTACK?

A traditional DoS attack shuts down a server by spamming it with so much data that the server crashes, or becomes too overwhelmed to respond to legitimate clients. Picture the server as a fast-food restaurant: people line up, order food, and leave. Some sit down at tables to enjoy their meal while others take it to go. When you visit a website, you’re placing an order. You request data and the server asks you questions in a back and forth conversation until you finish your requests.

Like a restaurant, a server has limited capacity. In this case, the precious resource is bandwidth, the amount of data that can be sent per second. Every internet connection, including your own, comes with its own limited bandwidth, which is why it takes longer to download large videos than small text webpages. Often, you can pay extra money to upgrade your bandwidth, so companies with commercial servers buy enough to deal with a typical amount of website traffic.

Now let’s say you’re a hacker, and one of your rivals owns a burger joint. You want your rival to suffer, so you create a horde of fake clients and send them to the restaurant. Your goons place fake order after fake order — not paying for anything, obviously! — and take up all the space in the restaurant so that real customers can’t get in. The restaurant gets so cluttered and messy that it has to temporarily shut down.

Congrats — you just “DoSed” your rival.

Obviously, it’s easier to overwhelm a small mom & pop shop than a giant chain restaurant. Your capacity to do DoS attack is also limited by your bandwidth, the number of fake clients and requests you can make.

The infamous cousin of the DoS attack is the DDoS attack: distributed denial-of-service. Here, multiple computers spam a server with fake requests and together the devices have a lot more bandwidth and can be a lot more destructive. Hackers can also install malware onto a computer to transform them into “zombies” that can be activated to participate in a DDoS attack against the owner’s will. So make sure you keep your antivirus and your anti-malware programs up to date!

BACK TO THE SLOW LORIS

Unlike a traditional DoS attack, the Slowloris uses finesse over brute force.

Most websites use the TCP protocol. When they take a client’s request, they make a dedicated connection and keep it active until the client confirms that they’re done. It’s sort of like a phone call, where you can only talk to one person at a time. The main alternative to TCP is UDP, which is more like texting: data can arrive from multiple sources at the same time, in small bursts, and it’s easy to start and stop.

To end a TCP connection, the server must receive a particular set of characters, such as two newline characters. Most TCP connections also have a timeout. If they don’t receive any data within a specified time frame — maybe thirty seconds — they close the connection regardless. Since websites must create a new TCP socket for each client, there’s a limited number of connections they can make.

When you’re doing a Slowloris attack, you never send those two newline characters. Instead, you keep the connection alive, and just before it times out, you send a tiny piece of data — maybe a bite or two — to prevent it from closing. It’s the network equivalent of poking someone just before they drift off to sleep. And if you manage to hog all the TCP sockets, then you effectively prevent any legitimate clients from connecting. Best of all, you use barely any of your own bandwidth.

Going back to the restaurant analogy, instead of sending legions of fake clients, the Slowloris only sends a handful. But these clients are slow. They spent minute after minute deliberating their food choices, until all the customers behind them give up and leave.

WHY BOTHER?

During the 2000s, and even today, DoS attacks were used to ransom companies. Hackers threatened to take down websites and prevent people from making money if they refused to pay up.

You definitely shouldn’t be using a DoS attack on anyone, friend or foe. But it’s important to understand how they work, so we can understand how to defend against them. Cybersecurity is all about staying one step ahead of hackers.

Learn More

Slow Loris – Rethinking DoS Attacks

https://medium.com/front-end-weekly/slow-loris-rethinking-dos-attacks-bd1ca5091bfe

Computerphile: Slow Loris Attack

https://www.youtube.com/watch?v=XiFkyR35v2Y

Computerphile: Denial of service attacks

https://www.youtube.com/watch?v=BcDZS7iYNsA

What is a Slowloris attack

https://en.wikipedia.org/wiki/Slowloris_(computer_security)

Internet protocols

https://kids.kiddle.co/Internet_protocol_suite

Denial of Service Attacks

https://www.us-cert.gov/ncas/tips/ST04-015

DoS and DDoS Attacks

https://www.cybrary.it/2018/07/types-of-dos-and-ddos-attacks/