Tuesday, September 20, 2011

Testing Web Servers for Slow HTTP Attacks

Via Qualys Security Labs -

Following the release of the slowhttptest tool, I ran benchmark tests of some popular Web servers. My testing shows that all of the observed Web servers (and probably others) are vulnerable to slow http attacks in their default configurations. Reports generated by the slowhttptest tool illustrate the differences in how the various Web servers handle slow http attacks.


Final Thoughts

Software configuration is all about tradeoffs, and it is normal to sacrifice one aspect for another. We see from the test results above that all default configuration files of the Web servers tested are sacrificing protection against slow HTTP DoS attacks in exchange for better handling of connections that are legitimately slow.

Because a lot of people are not aware of slow http attacks, they will tend to trust the default configuration files distributed with the Web servers. It would be great if the vendors creating distribution packages for Web servers would pay attention to handling and minimizing the impact of slow attacks, as much as the Web servers’ configuration allows it. Meanwhile, if you are running a Web server, be careful and always test your setup before relying on it for production use.

1 comment:

  1. Some of these attacks are due to flaws on the HTTP server itself. For example look up the "Slowloris" which picks on the fact that Apache is a threaded server application.

    The vulnerability is impossible to prevent by editing configuration files, as it's a flaw with Apache itself. (However, by using Apache plugins there are methods to try and mitigate these types of attack, for example "mod_qos")

    Other web server applications such as Nginx and Lighttpd are not "threaded" servers, they are asynchronous servers, so they can withstand the main flaws that Apache has.