Slow Read Attack (and Others)

Today (3-30-12) @RukshanR pointed out this tool to me:

slowhttptest - Application Layer DoS attack simulator

I loaded it in a BackTrack 5 VM and attacked a test server.

I found that this tool did not render the server unavailable with the settings in the man page, but it did consume a lot of resources.

The surprise to me was that CloudFlare did not protect me. My overall security level at CloudFlare is "Low", however. Higher settings may provide more protection.

Update April 4, 2012

I demonstrated this attack to a class yesterday, and CloudFlare protected me! I just repeated it and captured this image:

Without CloudFlare, this attack renders my server completely unavailable within ten seconds, but with CloudFlare it only consumes a few connections and stays up.

Fast work by CloudFlare!

Update (March 30, 2012): Testing Other Attacks

I decided to try some other attacks with the same tool. Images are below, but here are my results:

Slow Read Attack

Here was my server-status before the attack:

Here is the status a few seconds into a slow read attack, unprotected by CloudFlare:

After the attack, a lot of processes remain busy for a long time, so I restarted Apache to clear them.

Here is the status a few seconds into the attack, using a URL that is being protected by CloudFlare.

As you can see, CloudFlare did not protect my server from this attack.

Range Header Attack

This attack made the server unavailable, so I cancelled the attack to make the server-status page visible.

Here is the status after a few seconds of Range Header attack, unprotected by CloudFlare. As you can see, there are 149 requests being processed, of a possible 150. This attack is making the server completely uavailable.

I restarted Apache, and ran the same attack directed to a URL protected by CloudFlare.

The server remained available, so I captured this image during the attack. CloudFlare is providing good protection from the attack--only 24 requests are being processed.

Slow Post Attack

This attack made the server unavailable, but when I cancelled and reloaded the page, I was lucky enough to get an open connection so I could see the status during the attack:

As you can see, there are 150 requests being processed, of a possible 150. This attack is making the server completely uavailable.

I stopped the attack, restarted Apache, and ran the same attack directed to a URL protected by CloudFlare.

The server remained available, so I captured this image during the attack. CloudFlare is providing good protection from the attack--only 9 requests are being processed.

Slow Loris Attack

By refreshing the server-status page often, I was able to keep that connection alive during the attack.

After about 20 seconds, the attack consumed all 150 requests:

I stopped the attack, restarted Apache, and ran the same attack directed to a URL protected by CloudFlare.

The server remained available, so I captured this image during the attack. CloudFlare is providing good protection from the attack--only 9 requests are being processed.


Last modified 9:36 am 4-4-12 by Sam Bowne