Slowloris is a layer 7 DDoS attack that uses incomplete HTTP requests between servers aiming at slowing down the target server by opening a large number of connections between them. It keeps the connections open for a long time which effectively overwhelms the target server by consuming the allowed pool of concurrent requests thereby preventing the server from serving legitimate users’ requests resulting in a DDoS attack. The protocol anomaly exists in the HTTP 2.0 protocol which waits indefinitely or till the specified timeout, waiting for the .
In reference to the video demo given, we have executed an attack on one of our test domains.
We have used https://github.com/gkbrk/slowloris package for executing slow loris attacks on the same.
The video shows slow loris attacks hitting the app when not routed through the WAF and there is a brief timeout when the legitimate request from my browser timeouts. The same issue does not happen when routing through Prophaze WAF.
The indefinite timeouts based on the listening for the are handled by Prophaze WAF by using our DoS mitigation module and slow loris requests hit not the client-server but a honeypot. Therefore, we can conclude that this attack can be prevented from reaching the client with no hindrance to their infrastructure.