Slowloris

Heya,

 

 

I spent some time testing this yesterday, in fact. Since the ASM acts as a full proxy, the connections are never opened to the pool members. Watching Slowloris traffic on the wire showed that it consumed threads by sending a POST with a Content-Length that it never fulfilled. Since ASM doesn't open a connection to the servers until it has received, parsed, and approved (based on the security policy), and Slowloris never completes its request the ASM never opens a connection to the servers. Since the point of Slowloris is to not simply DoS by volume (the default number of sockets is only 500), this should probably not cause any problems.

 

 

// Ben

Today i tested, too - up to 1000 SSL conx to the VS and everything is fine.

 

Monday i'll try with more than just one Client.

 

Phion Airlock crashed in a couple of Seconds :-/

 

 

//KAi

Tested with 8k Slowloris Sessions (8 Clients á 1k Sessions)- everything fine with BIP 6400

does this will cause ASM's own memory or connection full?

This shouldn't happen in most circumstances. The principal behind Slowloris to remain fairy low profile on the wire. It would only take ~600 connections and a very negligible amount of bandwidth to affect one of the threaded web servers that is vulnerable to this which should be little more than a drop in the proverbial bucket for the ASM devices. Even when the volume is increased, nearing more of a 'DoS-by-volume' than a 'Slowloris' type attack, the network layer on the ASM and LTM use a handful of methods to control this type of attack (SynCookies, aggressive connection reaping, et cetera). Though when the volume is increased, this truly becomes a traditional DoS attack, using simple volume in an attempt to overwhelm, rather than the more targeted and light-on-the-wire approach that the 'Slowloris' method uses.

 

 

// Ben

Thanks for the testing updates!

Can this attack be mitigated by ASM alone without any help from LTM?

 

 

When I brought this up to Alfredo today, it was for the purpose of articulating the value of ASM to customers.

 

 

Does anyone know whether other WAFs such as Imperva can protect against this?

 

 

Thanks.

 

LTM on its own (and ASM standalone) can protect against the slow header attack as a VIP with an HTTP profile buffers the HTTP request headers before opening a new or using an existing serverside TCP connection. ASM provides an even higher level of protection in that it buffers the HTTP headers and payload before sending the request to the servers.

 

 

As far as I'm aware, Imperva (at least in a transparent bridge mode), cannot provide full protection against the attack. They do not buffer the request headers, so the best they can do is send a TCP reset to the server if/once they detect the symptoms of an attack (for example, more than X number of headers sent in a request). The TCP connection would already be established to the server though. I don't know whether they can handle it better in reverse proxy mode--though considering they recommend the reverse proxy configuration only in a small percentage of implementations it might be a moot point.

 

 

I'm not sure about the other major WAFs on the market. I'd expect most reverse proxy load balancers and reverse proxy WAFs could be configured to protect against this type of attack.

 

 

Does anyone else have corrections/additions to this?

 

 

Aaron

Thanks for the prompt response, Aaron.

 

 

One question : Without LTM, will ASM be "DOS" by this slowloris attack?

 

 

I understand that ASM is shielding the actual web server from these malicious connections, but is the problem now transferred to ASM?

 

 

Hope to hear from you soon.

 

 

Many thanks.

 

 

Onn Chee

Hi Onn Chee,

 

 

Ben stated above in this thread that he tested Slowloris against a vulnerable web server being protected by ASM and saw no issues with ASM and no connections opened to the web server. You could try it as well to confirm. Again, you should see no problems just by adding an HTTP profile to a VIP, let alone using ASM.

 

 

Aaron