Neutralizing Slowloris attacks with NIO

published by admin on Tue, 01/14/2014 - 09:00

Most of the time, web attacks rely on perverted use of protocols or pernicious effects of a technical possibility. For example, web servers are implemented to accept both fast and slow clients and treat them equally, but nobody would expect to have at the same time a huge amount of extremely slow clients. If this happened, this would lead the "old-style" server (1 thread for 1 connection) to get frozen.
Slowloris is the typical client exploiting this problem, and is widely used in DDOS attacks. You can download and study Slowloris source code, or you can try a similar homemade tool that I wrote for this example (DripDOS link at the bottom of this article).

By default, Tomcat is configured with 200 threads and 20 seconds timeout. When trying DripDOS with 201 connections and at the same time making an HTTP request, we then check that Tomcat needs 20 seconds to answer this request :
$ time telnet testserver 54080 Trying 10.128.10.10... Connected to testserver. Escape character is '^]'. GET / HTTP/1.0 ... ... Connection closed by foreign host. real 0m19.303s user 0m0.005s sys 0m0.009s

Java NIO allows to build asynchronous servers, which don't rely on the 1 connection - 1 thread model, but on processing data when data is available. This way, no threads are busy when waiting for nothing. We just need to change the connector type in Tomcat config to run our server in asynchronous mode :
$ diff server.xml server.xml.nio 69,70c69,71 < <Connector port="54080" protocol="HTTP/1.1" --- > <Connector port="54080" protocol="org.apache.coyote.http11.Http11NioProtocol"

Now we just need to restart Tomcat and check there is no more 20 seconds waiting :
$ time telnet testserver 54080 Trying 10.128.10.10... Connected to testserver. Escape character is '^]'. GET / HTTP/1.0 ... ... Connection closed by foreign host. real 0m1.157s user 0m0.003s sys 0m0.003s

Finally, we can conclude that NIO and asynchronous servers provide in some way a built-in protection against Slowloris or similar attacks. Good technologies have good side effects. If this protection cannot be compared to a good firewall, at least it can help an application to be stronger against attacks and more scalable under heavy load.

Tags:

slowloris