As a hobby I study about cyber security and hacking, and one thing that really fascinates me are the Denial of Service Attacks (Dos). From them the ones that I’m really interested are the Denial of Service attacks that uses a single computer or a very few number of computers to take a website offline, this is quite the opposite to LOIC or HOIC used by Anonymous that need hundreds maybe thousands of computers to take down a website.
Today I stumbled upon a new tool called slow read DoS tool, that first appeared on the internet at the beginning of this year.
SlowHTTPTest (slow http read) is a highly configurable tool that simulates some Application Layer Denial of Service attacks.
It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.
I showed the tool to one of my best twitter followers @sambowne that tested the attack and the results are quite surprising because CloudFlare failed to detect the attack.
You can read Sam Bowne’s results from the testing of the slow read DoS attack from here : http://samsclass.info/123/proj10/slow-read.html
I found that this tool did not render the server unavailable with the settings in the man page, but it did consume a lot of resources.
The surprise to me was that CloudFlare did not protect me. My overall security level at CloudFlare is “Low”, however. Higher settings may provide more protection.
CloudFlare was quick to respond :
@sambowne @CloudFlare @RukshanR stay tuned. More coming next week to stop HTTP attacks that get through our network.
— Matthew Prince (@eastdakota) March 30, 2012
The attack can be made more powerful by using more number of threads and increasing the number of computers running the slow post attack, so there is still a possibility in using this tool to take down a website, this has been the latest trend in Denial of Service attacks using flaws in the HTTP protocol to take down websites being not accessible to others, rather than taking the whole server down like DDoS attack that can now be stopped using CloudFlare.
On the other hand what if Anonymous hackers sent this tool instead of LOIC to their followers, that can be interesting too.
Update : Sam Bowne has tested other methods of attack with the Slow Read DoS tool and posted his results at his blog. Here are the results summed up.
- Slow Read Attack: Doesn’t stop the server; Cloudflare doesn’t provide protection.
- Range Header Attack: Completely stops the server; Cloudflare provides effective protection.
- Slow Post Attack: Completely stops the server; Cloudflare provides effective protection.
- Slow Loris Attack: Completely stops the server; Cloudflare provides effective protection.
And thanks for all the interesting Twitter replies I got for this, couldn’t read them till today morning because TweetDeck went down.
@sambowne @CloudFlare @RukshanR @eastdakota nginx also protects Apache from these attacks. Just saying.
— Robert David Graham (@ErrataRob) March 30, 2012
@sambowne @CloudFlare @RukshanR @eastdakota Cloudflare is often not setup properly, leading to IP addr disclosure. See it happen *alot*
— ohdae (@bindshell_) March 30, 2012
Outcast Life 
Nice find! I am the author of slowhttptest, and I somehow missed Sam Bowne’s comparison.
Thanks, yes Sam Bowne is very much interested in DDoS/DoS attacks and prevention. He test them all.
When it comes to me I’m only interested in DoS attacks, slow http is a nice tool