Does any know how ASM would handle this recently posted Denial of Service attack: http://ha.ckers.org/slowloris/ The concept is the client hogs sockets by slowly trickling http headers to keep the sockets from closing. Over time, it consumes enough sockets & resources to bring the server down...especially those that have threading. Just curious how the ASM would react under these circumstances.

Heya, I spent some time testing this yesterday, in fact. Since the ASM acts as a full proxy, the connections are never opened to the pool members. Watching Slowloris traffic on the wire showed that it consumed threads by sending a POST with a Content-Length that it never fulfilled. Since ASM doesn't open a connection to the servers until it has received, parsed, and approved (based on the security policy), and Slowloris never completes its request the ASM never opens a connection to the servers. Since the point of Slowloris is to not simply DoS by volume (the default number of sockets is only 500), this should probably not cause any problems. // Ben

Today i tested, too - up to 1000 SSL conx to the VS and everything is fine. Monday i'll try with more than just one Client. Phion Airlock crashed in a couple of Seconds :-/ //KAi

Tested with 8k Slowloris Sessions (8 Clients á 1k Sessions)- everything fine with BIP 6400

does this will cause ASM's own memory or connection full?

This shouldn't happen in most circumstances. The principal behind Slowloris to remain fairy low profile on the wire. It would only take ~600 connections and a very negligible amount of bandwidth to affect one of the threaded web servers that is vulnerable to this which should be little more than a drop in the proverbial bucket for the ASM devices. Even when the volume is increased, nearing more of a 'DoS-by-volume' than a 'Slowloris' type attack, the network layer on the ASM and LTM use a handful of methods to control this type of attack (SynCookies, aggressive connection reaping, et cetera). Though when the volume is increased, this truly becomes a traditional DoS attack, using simple volume in an attempt to overwhelm, rather than the more targeted and light-on-the-wire approach that the 'Slowloris' method uses. // Ben

Slowloris | DevCentral

17 Replies

Wong_Onn_Chee_6
Nimbostratus
Jul 21, 2009
Thanks for the reply, Aaron.

Now, I know what we can tell the potential ASM customer. :-)
Lukas_54405
Nimbostratus
Aug 16, 2011
Hi

we have same issue with slowloris attack and want to resolve it by using HTTP profile on our LTMs. But what about HTTPS requests? I've heard that we will need to add SSL certificates together with HTTP profile otherwise HTTPS requests will be dropped. Is it true?

And what about non 80 or 443 ports? Are they safe against DoS attack?

Thank you for your response
Mike_Maher
Nimbostratus
Aug 16, 2011
Lukas,

I will answer you last question regarding non 80 or 443 ports. No they are not safe against DoS, I can run a DoS attack against any port. 80 and 443 are the standard ports for HTTP and HTTPS but I can run those protocols over any port I want to. I would not get caught up in the port number but rather what is running behind it.

Mike
David_Holmes_9
Historic F5 Account
Aug 16, 2011
Lukas,

To defend against slowloris you only need to have an http profile attached to your virtual. This will cause BIG-IP to hold the connection until the headers are complete before sending on the servers: since Slowloris never completes the headers, the Slowloris connection will never hit the server.

We haven't seen any instances of Slowloris over SSL yet. Please let us know if you see that happening. If you do see a Slowloris/SSL attack, the defense is the same -- just make sure that your HTTPS virtual has an http profile (it probably already does).

David
Lukas_54405
Nimbostratus
Aug 16, 2011
Mike, thanks for advise. Probably will need to add HTTP profile to all VIPs.

David

for now we are not using HTTP profile, don't know why. Will add it and test with the server group if it's working for all services.

Just one more question about HTTPS traffic? I've heard that HTTP profile will drop the https traffic without SSL certificate. Is it true or I can use HTTP profile also under https VIPs without any issues?
David_Holmes_9
Historic F5 Account
Aug 16, 2011
Lukas,

Are you load-balancing a mix of HTTP and HTTPS traffic through your virtual? Typically one would have HTTP traffic going to one virtual (80 for example) and HTTPS traffic to another (on port 443 for example). Both would still use the http profile. However, if you are indeed handling a mix of traffic through a single virtual then you can still accomplish what you want (slowloris protection) but it will require some iRule action (to turn off the https profile for connections that don't need it).

Hope this helps.
Lukas_54405
Nimbostratus
Aug 22, 2011
David,

I am load-balancing mix of http and https traffic but not through the one virtual. We are using many virtuals which are load-balancing just through the one port (e.g. 80,443,etc.).

I've been told that I can use http profile for each HTTP(80) virtual and that HTTPS(443) virtuals should not be running without SSL certificate. That's why I am asking if it's OK to use it also for HTTPS(443) virtuals as well as for HTTP/HTTPS virtuals running on "uncommon" ports?

Forum Discussion

Slowloris

17 Replies

Recent Discussions

Open Redirection Mitigation

Portal Access to HTTPS resources slow

How to Implement 2 Way SSL in F5 LTM

Azure DP-100 Exam Questions

GTM Packet Capture command

Related Content

Maintainers, Slowloris/2, Kobold Letters - April 1st - 7th, 2024 - F5 SIRT - This Week in Security

Exclude uri from slowloris mitigation

Slowloris and http redirect

Mitigating recent HTTP/2 DoS vulnerabilities with BIG-IP

Lightboard Lessons: What is a Web Application Firewall (WAF)?