The Internet is a global public network of interconnected computer networks that utilize a common standard set of communication and configuration protocols. The Internet includes numerous private, public, business, academic, and government networks. Within each of the different networks are devices such as servers, workstations, printers, portable computing devices, host computers, monitoring devices, to name a few examples. These devices are able to connect to devices within their own network or to other devices within different networks through communication devices such as hubs, switches, and routers, for example.
Sometimes attackers will attempt to disrupt network communications. One example of how attackers will disrupt network communications is termed a Slow HTTP (hyper text transfer protocol) attack. With a slow HTTP attack, an attacker opens many connections with typically a website and specifically an HTTP or web server by sending HTTP requests at a slow rate. Because of the slow transfer rate, it can take minutes or hours to detect an attacker that is sending invalid requests. And, after the invalid requests are detected and the web server resets the connection, the attacker will only continue to open new connections. Since a web server is typically limited to a finite number of simultaneous connections, legitimate clients may not be able to access the website during the attack.
There are several variants of the attack. Some variants, such as the Slowloris program, send GET requests with an indefinite number of request headers. Other variants send POST requests with a complete set of request headers, but include message body of indefinite length that is sent a few bytes at a time.
There are several different techniques website administrators have used to mitigate slow HTTP attacks. The first technique is to modify the web server's configuration. For example, a website administrator can often increase the maximum number of clients that are able to connect simultaneously. Another approach is to decrease the maximum time that a web server will wait for a request to be transmitted. These solutions, however, do not solve the problem. Allowing more clients to connect does not provide a comprehensive solution because the attacker can easily increase the number of simultaneous connections. Likewise, decreasing the maximum time that a web server waits for a request is not a solution because as soon as web server resets the connection, the attacker can immediately open a new connection to the web server.
A second technique is to use the iptables command to limit the number of connections per internet protocol (IP) address. The iptables command on a Linux server can be used to limit the number of new connections per minute from a single IP address. However, this technique may block legitimate clients who make many connections serially, such as a client retrieving many different files in succession. The iptables command also blocks legitimate clients that access the website through a proxy server, since all the requests originate from the same proxy IP address. Furthermore, this technique does not work with all kernel builds of the Linux operating system.
A third technique is to install a load balancer with delayed binding. This approach is able to mitigate some types of slow HTTP attacks. However, load balancers often fail to mitigate attacks that send a POST request message body at a very slow rate. This is because the load balancer establishes a connection with the web server, which remains open as long as the message body is transmitted, once all the request headers are transmitted.
A fourth technique is to add a special purpose module to the web server application. There are some add-on modules, such as mod_antiloris for the Apache server, that are able to mitigate slow HTTP attacks. These modules, however, only work with specific web servers. Furthermore, these modules often have additional shortcomings. For example, the mod_antiloris module prevents a single IP address from forming a large number of simultaneous connections with the web server and thus blocks legitimate clients connecting via a proxy server.