Slowloris (and any type of DoS with a similar intention) is a tool designed to hold up all the available connections on an Apache server without having a massive network to DoS the host. The concept is best described by the Slowloris developer –
In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools.
The concept is simple – Slowloris sends partially complete HTTP requests to Apache and continues to send headers on these connections making sure they are never closed and don’t timeout. It continues to open more and more until all of the available sockets on the server are used, effectively denying service to the host. Because the requests are actual HTTP requests, and continue to get data sent, this is a particularly dangerous attack as it can be hard to protect against.
This is where HAProxy really shines. In a post on the HAProxy site they explain how HAProxy would deal with such an attack. The first thing to note is that HAProxy only forwards complete HTTP requests – meaning any non-complete requests never reach you server in the first place!
While Apache needs a new thread to process an incoming connection, HAProxy needs only 16-32 kB of memory meaning it can scale far beyond what your Apache server (or farm) most likely can achieve. Added on to that, you can add a timeout specifically for HTTP requests, allowing HAProxy to kill off any non-finishing requests (see “timeout http-request”).
The beauty of this solution is that your Apache servers will continue to receive any valid requests, while HAProxy sucks up and terminates the connections coming from the Slowloris tool.
HAProxy has put up a drop-in configuration example to prevent this, available at their site or via this direct link.
