Slow Loris Attack - Computerphile

Yeah, while forgetting their stories halfway through and starting all over.

You should be on ELI5 subreddit.

shouldn't you be busy saving the world, Niko?

That variation of the attack is described in more detail in this video watch?v=tc_KJEwzq74

That's a clever IRL DoS.

Second rule of coding: Checking rule 1 is NP-hard!

Wouter Damen Ikr! All the parsing and data validation!

Like life: cant trust anyone. But obviously thats not the optimal strategy.

So true!

+TechyBen
Why is it NP-hard?

indeed

same I was laughing alot at how simple but effective this is.

Chaining Solid not really effective anymore except for unpatched web servers. but yeah, genius in it's conception by using the artificial limits used to stop DDoS against the server to DDoS it anyway. lol

Yeah, except it's useless because every sensible webserver has a connection limit per client or IP (something on the order of 2-10, beyond that you're blocked). It's true that it saves traffic, but there's no way around owning a botnet...

could just go through a few proxies/VPNs if you really needed to do it solo.

Dr EVIL would be proud!

Mojo Jojo would be proud

Cry? Like a girly man?
This is so beautifully evil is makes me rage at myself for not thinking of it first!!

And your comment made me WannaCry

Ambrus Sümegi a

I really needed this! Thank you for your clear writing.

Yeah, he should have a dedicated channel

It's also great how he has to add the obligatory 'don't really do this', but you can see in his eyes that he thinks this stuff is awesome ;-)

would be cool, but i think its more complicate that it seems to be here

I am at the Uni he teaches at, very nice guy in general. Can occasionally hear him talking in an office and wonder if a new Computerphile video is on the way :)

DamagedSave Go talk to him! Say we would like to see his channel :P

yeah, i was thinking the same thing. moreso that it's apache on windows.

That's what I was thinking. Though if you're deploying apache with the specific intention of breaking it, maybe windows is the better platform.

it doesn't matter and it's faster to install server on windows than on linux

He'll be using the university network which will most likely be windows enviroments.

Nimisidiv Except the other machine is Linux. Anyway, installing Apatchy httpd on Linux is very fast it's an OS feature. But installing Monty Python etc. on Windows is harder than installing Apache, so if he only had those two machines it's just easier to do the python script on the Linux machine and use a badly configured toy web server on Windows as the target.

Emanuele Giordano he didnt write it as he said

Well, maybe you should drop H and do something in JS or Python

It's called denial of execution attack injected by the creator of the language to prevent your code from doing what you want it to do. Just like this very comment is denial of skill attack by me to prevent you ..
[Okay, this joke took a mean turn, I'll stop now.]

Simple rule.
If you can make money out of it then you are a real hacker.
Otherwise you are just an aficionado.

nah, script kiddie

Makes so much sense now

What is the relevance of this comment to the video?

Eh, but then you've destroyed the contents of the safe, which isn't what a DDoS does. It would be more like throwing the safe off a bridge into very deep water. Or launching it into space on an extrasolar trajectory. And then proclaiming yourself to be the greatest safecracker of all time. :)

Well, seriously, you could probably find the code fairly quickly or writ it yourself knowing the idea behind it, so...

I'm pleased too, but computer science/computing isn't ALL about code. :)

tru tru

but its in a noob language like python

>noob language
aakksshhaayy is living in 2080 with his "assembly code only" ideology

lol

and if you did that on an islamic website, youd be called a racist

they are gonna sue!

My idea too

they might be using apache, how can you tell before hand

+
Yeah I'd love to know this too.

Use Lighttpd or nginx ;P

I wonder how many Apache threads some normal Linux box could handle.

One obvious answer is: don't spawn a new thread for every connection. If you keep your processing as lightweight as possible, attacks like this have a much smaller effect.

You could also limit the number of open concurrent connections to the same IP.

Nigel respect

Amplified?

it is, but just glance at apache's documentation and you'll find timeouts for keep alives and "read timeout"

I don't really care for an accurate description as long as the concept behind it is described, which he did. If one were to want a more accurate description, I'm sure one could find one for themselves. I don't think that this video is meant as a walk-through to an exploit.

Hey, would you like to download my file? It is called secretbitcoinaddress.notavirus

W3C is working on the standard

Instead of ".exe"

@@godfreypoon5148 lol

Virus software be like "del /S C:\*.virus"

I like the theme he's using so it's fine

"Registered"

Maybe he also has a registered winrar somewhere.

Lol, he pays for software that is basically free. Look up VScode.

@@hexagonist23 or VSCodium if you don’t want to get your linux install dirty with Microsoftware

Nobody cares m8

good for you

Speedyjens I was just sharing my experience with Ubuntu cos you rarely see people use it. If you don't care, you can skip along like everyone else does. I am sure you don't care about every CZcams comment and you generally skip along. This one shows you somewhat care to make the effort to reply to....

Anesu C You comment really had nothing to do with the video.
*cough* alot of servers uses ubuntuu *cough*

Speedyjens​​ They use Linux not specifically ubuntu, tha I have experienced first hand. Also it doesn't matter if it wasn't explicitly related to the topic, it's like watching a show and your favorite actor/singer/etc shows up. You will notice a lot of comments about that person rather than the topic of the show itself.... Just another note, this video pretty much covered the topic well, I had nothing else to add, hence I mentioned this instead.

Thomas Gourley

do you honestly think that you could go to jail for this?

+joe 10001001 you absolutely would go to jail for a denial of service attack like this. if i'm not mistaken, it's a federal offense.

it depends who you do it to and how effective it is tho right?

large companies rely on a lack of public knowledge on tech and bribery to make things like dos illegal. if you think about it dos is a form of peaceful protest (when the participants are willing). using current event as an example, ddos attacks are analogous to a crowd of people standing in front of trump tower to prevent people getting in and by extension, trump making money. this dos attack is perfectly understood by this hypothetical scenario. you fine out that a restraint has been steeling credit card numbers, so you gather a group of 30 friends who each take a table, then when a waiter comes to get their order they ask for 5 more minutes. in my opinion, you and your friends are not committing a crime, any loss in profit that the restaurant is facing is their fault because they chose not to kick you out.
and with the normal ddos attack you are simply peacefully protesting (if you are using a botnet and not and not a community who agrees and wants to help the cause) you are guilty of a different crime.

your profile pic is intresting lol

You don't need a thread per socket... A thread could handle "thousands" of slow socket...
This is a design problem in a "optimisation" done on the Apache server. As he said, not all http server have this weakness.

Hendrik-Jan Smit You might want to research the C10k problem. For one you can make connection handling much much more effective, also you can rather easily detect a client misbehaving this way and block it.

As Morgan says, "Everything gets a return"

I agree. Not much substance to this video without preventative measures.

Just drop the connection if it is unrealistically slow.

user255
Sure could you give a example of how to setup a iptable rule or apache configuration that would do this for me then?

Dantali0n I think I spoke too soon... it is not as easy as I thought. But check this:
insights.sei.cmu.edu/cert/2009/07/mitigating-slowloris.html

I would think having a hard timeout on connections (as in having any single connection not be longer than a few seconds) would work, although it might make accessing the site from a very slow connection impossible.

Any server that doesn't have one thread dedicated for each socket will fair well against this attack. Nginx can handle 10k concurrent connections, probably more of these "pseudo"connections

I don't know but maybe limit the number of connections per user or don't use apache?

+Natanor That would not work. Apache already has hard timeout for requests but the script recreates each connection that was closed by the server.
+ILYES You can limit the number of connections from an IP address but that may make your website unuseable from some large companies or organisations that have only a few external IP addresses.

I would try solving it by prioritizing the faster connections and having lower time outs.

Even better than that, the packets are so small that you can easily route them through the Tor network, maybe even with a separate connection for each socket. (Depending on the per socket timeout)

#firewall might fix this for you
ip6tables -I INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 10 -j DROP
iptables -I INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 10 -j DROP

Can you elaborate? I assume that drops the slow connections, right?

I assume it limits the number of connections per IP to 10 on port 443. This might ban an entire country.

***** Qatar has only one public IP. Everything I say is 100% serious.

***** I don't know either. A different situation: a bunch of governments are blocking a lot of sites. If one were to use Tor to bypass it he would have found that some CDNs are blocking Tor IPs. I guess these are rare cases and generally shouldn't be worried about.

Where you're right, you're right. Thanks for your clarification

I'd like to give props to both of you guys - nidefawl for giving proper explanation and Axel for taking the lesson. If only internet was full of people like you! ;)

+dzikiLOS I guess the Internet will never be full of people like the ones in this comment section -_-
But that's more in a conjunction to people in general. not the web

@nidefawl I'd thought it would be, given the amount of connections, and all of them distributing a connection. I don't know, though, because I have hardly any experience with any form of coding.

Typewriters and postage stamps

boothegoo pc No, iptables

Design a thread to handle all the slow connections? ---> Two lorises having fun chatting with each other...

That's not an automatic solution though right? You need an administrator to recognize the problem and block their IP right?

@Yanni mouzakis I have no idea. Even if it's possible to handle/consolidate slow connections automatically, it just make the attacker pay as much resource as the server in the end.

Daniele Dal Col Aka the "I just enlisted in an IT course but Ill still call myself a real programmer already" starter package :)
/s

Lol too accurate

Nope.
And I'll bet I'm not the only one who is happy to a Linux box from my own Linux box.

It's probably local for the University, their local IP address usually look like public ones.

Probably public, Universities often give out public IP's to clients

@@willway1234 Yes, it is.

So are you like the maple version of a Trump supporter. "Damn Americans, comings here too lazy to make hockey sticks like the rest of us; coming here go'n take my job at the hockey stick factory."

It's actually a different operating system, a Linux distro called Ubuntu.

not windows

yes, say more please

I'll say that I used Apache 2.2 and then 2.4 for a few years and I'm so happy that I switched to Nginx.

thanks for more :)

Or Node.js

Ljón That's quite different though.

Jails website is going down.

enjoy school

put a link to a batch file in a public directory of the school computer system that opens a window that says "I just learned batch!" like a program made from a tutorial so if someone opens it hes just like "k, someone accidentally put this file in the public folder" but it also launches the Slow Loris program as that curious person who opens it. Nobody can see who put that file in the public folder, even if they figure out that when you are curious to open that myfirstbachfile.bat you launch a DDOS on the school site in the background.

15 Redstones That's genius! Sadly, I'm too scared to even try to do that, because I'm afraid of getting caught. Sometimes I like to fantasize about this kind of stuff, too, but I'd never do it.

Thomas Gourley I wouldn't do it either, because I'm actually in our IT club and working on the school homepage, so I am working on making sure that nobody can XSS or SQL-Inject it. Altough maybe I would try it on the local server where we test stuff, since it's our server it would be legal to hack it if I ask my teacher first.

sounds like a solution a business owner would agree with.

That is already implemented in Apache, requests have hard limit after which they are dropped. However, the script simply reopens every connection that the server closed. A few legitimate requests may skip through but that would hardly make a shop useable.
The correct solution is to use a web server that does not spawn a new thread for each connection (usually as a reverse proxy that will collect and resend requests if you still need Apache for your website). Then they can easily handle tens of thousands of such connections.

That has the problem that the attacker still just opens up new requests. Even if you drop all of the connections quicker, the attacker will also open requests quicker. So the attacker still eats up your threads.

I wonder if there is a way that Apache servers can implement a non thread based connection scheme or something. There must be a common fix or prevention method if half of all webservers are running the most vulnerable system!

ericsbuds "non thread based" do you even know what threads are?