The naïve and still common perception of DoS/DDoS attacks is that to be destructive, attacks must use brute force and generate massive traffic. Low & Slow DDoS application attacks prove otherwise. Similar to guerilla warfare tactics, Low & Slow application attacks create significant damage with minimal resources. What’s more? Detecting and preventing these attacks presents a significant challenge. The following post goes in-depth to break down why Low & Slow application level attacks are difficult to detect and mitigate.
Appearance of legitimacy
Low & Slow attacks use slow traffic that appears legitimate in terms of the protocol rules and rates. By not violating any network standard or security policy they pass undetected, flying below the radar of traditional mitigation strategies.
The traffic, however, is designed to exhaust the victim’s resources until its services halt and become unavailable. For example, a popular Low & Slow attack tool is R.U.D.Y (R U Dead Yet?), which can bring down a web server by creating long form field submissions. This is done by iteratively injecting one byte into a web application post field followed by a sleep period. The result is that application threads become stuck because they are occupied with these one-byte POST fragments.
Slowloris is another popular Low & Slow attack tool that holds HTTP connections open by sending partial HTTP requests. Slowloris continues to send subsequent headers at regular intervals to occupy the application stack and keep the connections from closing. The web server quickly reaches its maximum application stack capacity and becomes unavailable for new connections by legitimate users.
Unlike other denial of service attacks, Low & Slow techniques require very little resources from attackers. While performing a network flood requires several hundreds of Bot machines that simultaneously send traffic to overload network resources, Low & Slow attacks can be activated from a single attacking computer with no additional bots.
Detecting Low & Slow application attacks requires real-time awareness of the resources consumed by the protected servers, such as CPU, memory, connection tables, application states (virtual or real ones), application threads and more.
A resource aware detection solution will constantly monitor the status of resource allocation, as well as trends of the protected servers, and will be able to identify misuse of those resources. For example, long and relativity “idle” open network connections might imply that the server is under a connection table misuse attack. Additionally, an application stuck in a process that is supposed to be completed quickly may be under a R.U.D.Y attack.
Detecting such attacks requires a tight integration between the protected server and the mitigation solution. Another approach is for the mitigation solution to analyze the behavior of open server connections and to simulate the application stack resources without a direct connection to the server itself. With the proper behavior analysis technologies, the misuse of the network and application resources can be identified with high accuracy. Once the activity is detected, it can be traced back to its origin and mitigated as necessary.
It’s clear that the Low & Slow method upends some of our preconceived notions when it comes to DDoS attacks. From its relative simplicity to its usage of minimal resources, defending against this increasingly popular tactic requires the right security infrastructure along with a dedicated team of security personnel that possesses the expertise to break down the latest attack tools in real time.
Has your organization been the victim of a Low & Slow attack? If so, share your experiences of how you detected and mitigated this deceptively malicious DDoS attack tool.