Mitigating Slowloris Attacks

Slowloris are a special type of Denial of Service (DoS) attack that blocks the availability of a Web server/application server.

With slowloris attacks a large number of requests are sent in parallel with a very low data transfer rate to the application server. Due to the low data transfer rate the connections to the application server are open for a long time and consume system resources. Since an application server uses up its limited system resources quickly, legitimate requests will be denied.

It is difficult to prevent this type of attack. To keep the application server available even while it is being attacked by a slowloris, three subparameters have been implemented in parameter icm/server_port. You can use them to set conditions to the data transfer rate of a request.

It is best to set the minimum data transfer rate to a value that make slowloris attacks difficult. But you must ensure that the data transfer rate is still small enough to allow for legitimate requests from a poor network connection (e.g. requests through mobile networks). The maximum length of time that a connection remains open can also be restricted. All connections that do not match the specified data transfer rate and length of time of a request are closed automatically by the server. The following subparameters are used to counteract slowloris attacks:
  • MIN_RECEIVE_RATE:

    Specifies the minimum data rate. The transfer rates are configured as pairs of from_size (in KB) and min_rate (in KB/sec). The first from_size parameter is set to "0“. A maximum of three transfer rates can be configured. The transfer rates must be assigned in ascending order and be separated by semicolons. There is no default value.

  • CHECK_RECEIVE_RATE_AFTER:

    When a TCP/IP connection is first being set up, it may be very slow to open. For this reason, the data rate check can only be started after a predefined time set in seconds. The default value is five seconds.

  • MAX_RECEIVE_TIMEOUT:

    The maximum time in seconds that a connection is allowed to remain open can be configured. There is no default value.

Example

Example 1:

To configure a minimum data rate of 2 KB per second, you set the profile parameter as follows:

icm/server_port_0 = ...., MIN_RECEIVE_RATE=min_rate=2

The first parameter from_size is set implicitly to value "0“.

Example 2:

To set the value independently of the size of the request, you can set the profile parameter as follows:

icm/server_port_0 = ...., CHECK_RECEIVE_RATE_AFTER=3, MIN_RECEIVE_RATE=from_size=0 min_rate=2; from_size=16 min_rate=10; from_size=1000 min_rate=50

If the size of a request is between 0-16 KB, a minimum data transfer rate of 2 KB per second is required. If the size of a request is between 16 and 1000 KB, a minimum data transfer rate of 10 KB per second is required. If the size of the request is greater than 1000 KB, a minimum data rate of 50 KB per second is required. The conditions are checked after 3 seconds.

Example 3:

To configure the maximum time a connection is allowed to be open to 30 seconds, you set the profile parameter as follows:

icm/server_port_0 = ...., MAX_RECEIVE_TIMEOUT=30