The Slow Read DoS Attack That Penetrates CloudFlare.

As a hobby I study about cyber security and hacking, and one thing that really fascinates me are the Denial of Service Attacks (Dos). From them the ones that I’m really interested are the Denial of Service attacks that uses  a single computer or a very few number of computers to take a website offline, this is quite the opposite to LOIC or HOIC used by Anonymous that need hundreds maybe thousands of computers to take down a website.

Today I stumbled upon a new tool called slow read DoS tool, that first appeared on the internet at the beginning of this year.

SlowHTTPTest (slow http read) is a highly configurable tool that simulates some Application Layer Denial of Service attacks.

It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.

I showed the tool to one of my best twitter followers @sambowne that tested the attack and the results are quite surprising because CloudFlare failed to detect the attack.

You can read Sam Bowne’s results from the testing of the slow read DoS attack from here : http://samsclass.info/123/proj10/slow-read.html

 I found that this tool did not render the server unavailable with the settings in the man page, but it did consume a lot of resources.

The surprise to me was that CloudFlare did not protect me. My overall security level at CloudFlare is “Low”, however. Higher settings may provide more protection.

CloudFlare was quick to respond :

The attack can be made more powerful by using more number of threads and increasing the number of computers running the slow post attack, so there is still a possibility in using this tool to take down a website, this has been the latest trend in Denial of Service attacks using flaws in the HTTP protocol to take down websites being not accessible to others, rather than taking the whole server down like DDoS attack that can now be stopped using CloudFlare.

On the other hand what if Anonymous hackers sent this tool instead of LOIC to their followers, that can be interesting too.

Update : Sam Bowne has tested other methods of attack with the Slow Read DoS tool and posted his results at his blog. Here are the results summed up.

  • Slow Read Attack: Doesn’t stop the server; Cloudflare doesn’t provide protection.
  • Range Header Attack: Completely stops the server; Cloudflare provides effective protection.
  • Slow Post Attack: Completely stops the server; Cloudflare provides effective protection.
  • Slow Loris Attack: Completely stops the server; Cloudflare provides effective protection.

And thanks for all the interesting Twitter replies I got for this, couldn’t read them till today morning because TweetDeck went down.

Advertisements

2 thoughts on “The Slow Read DoS Attack That Penetrates CloudFlare.

    • Thanks, yes Sam Bowne is very much interested in DDoS/DoS attacks and prevention. He test them all.

      When it comes to me I’m only interested in DoS attacks, slow http is a nice tool

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s