A Low And Slow attack is a DDoS attack that aims to stop a web service using extremely slow HTTP or TCP traffic.
After reading this article you will be able to:
R U Dead Yet (R.U.D.Y.)
Slowloris DDoS Attack
Web Application Firewall (WAF)
Ping Flood Attack
How To DDoS
A low and slow attack is a type of DoS or DDoS attack that relies on a small stream of very slow traffic which can target application or server resources. Unlike more traditional brute-force attacks, low and slow attacks require very little bandwidth and can be hard to mitigate, as they generate traffic that is very difficult to distinguish from normal traffic. Because they don’t require a lot of resources to pull off, low and slow attacks can be successfully launched using a single computer; two of the most popular tools for launching a low and slow attack are called Slowloris and R.U.D.Y.
Low and slow attacks target thread-based web servers with the aim of tying up every thread with slow requests, thereby preventing genuine users from accessing the service. This is accomplished by transmitting data very slowly, but just fast enough to prevent the server from timing out. Think of a 4-lane bridge with a tollbooth for each lane. Drivers pull up to the tollbooth, hand over a bill or a handful of coins, and then drive across the bridge, opening up the lane to the next driver. Now imagine four drivers showing up at once and occupying every open lane while they each slowly hand pennies over to the tollbooth operator, one coin at a time, clogging up all available lanes for hours and preventing other drivers from getting through. This incredibly frustrating scenario is very similar to how a low and slow attack works.
Attackers can use HTTP headers, HTTP post requests, or TCP traffic to carry out low and slow attacks. Here are 3 common attack examples:
The rate detection techniques used to stop traditional DDoS attacks won’t pick up on a low and slow attack. One way to mitigate a low and slow attack is to upgrade your server availability; the more connections your server can simultaneously maintain, the more difficult it will be for an attack to clog your server. The problem with this approach is that an attacker can attempt to scale their attack to meet your server’s availability. Another solution is reverse-proxy based protection, which will mitigate low and slow attacks before they ever reach your origin server. Learn about how Cloudflare’s cloud-based DDoS protection can mitigate slow and low attacks.
Previous Lesson: Ping (ICMP) Flood Attack
Next Lesson: Application Layer DDoS Attack