Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
Low and slow DDoS attacks aim to bring down a web service by overwhelming it with extremely slow HTTP or TCP traffic. In this type of attack, the goal is to exhaust the resources of an application or server. The attack, which is delivered in small and very slow increments, actually requires very few connections. This makes it harder to distinguish from normal traffic. Even though large-scale DDoS attacks may be detected quickly, if a low-and-slow attack goes unnoticed for a long period of time, the victim server can be taken offline.
In this type of attack, applications called Slowloris or Rudy are generally used. In this attack technique, each thread is tied to slow requests and the aim is to prevent timeout. Imagine you are stuck in a single cash lane on an eight-lane motorway exit. The slower things go at the cash booth, the more drivers get stuck at the toll gate, and traffic keeps piling up. It is an incredibly effective and challenging attack.
The attacker generally sends HTTP headers; the server keeps this request open, and to prevent it from timing out, the headers are sent in partial sections. When detecting traditional DDoS attacks, speed and similar countermeasures are applied, but this attack technique will not be detected.
The best way to detect this type of attack is through behavioural analysis. Server resource usage should be continuously monitored and logged, and alerts should be generated for slow connections. Normal traffic and user behaviour during regular times can be compared with attack-time behaviour to perform behavioural analysis.
If your servers are running extremely slowly or crashing, you may be affected by a low and slow DDoS attack. Monitoring the response times of form fields or other activities on your web page can also help with detection.
To stop this type of attack, a reverse proxy can generally be used. At the same time, the more simultaneous connections your server can handle, the more resilient it will be against these attacks. Detection is of course crucial — otherwise the attacker will try to push server capacity to its limits.
You May Be Interested In These
