During 2010 OWASP Application Security Conference at Washington, researchers demonstrated how it is possible to conduct a new form of distributed denial of service “that floods the web server with a slow HTTP traffic.
Currently there is two free utility that may perform this attack d “R U Dead Yet?” and OWASP HTTP POST Tool tool offers unattended execution by providing the necessary parameters within a configuration file.
Ryan C. Barnett is a recognized security thought leader and Senior Software Security Researcher at Trustwave SpiderLabs, tested the program and developed some strategies to protect against this attack using certain configuration of ModSecurity and Apache.
Barnett uses the analogy of airport system of security checks in order to explain what happens during the HTTP POST attack: most of the passengers are “slow,” kids, women with strollers, and passengers with wheelchairs. He then explained that “just when you think the group is going to make it through, the metal detector sounds and the whole group has to go back through the process again.
This is essentially what is happening with these slow HTTP requests. They are sending data very slowly, and just when the Web server’s timeout thresholds are about to be exceeded, they send a little more data.”
The concept of this attack is unusual as you will not require any number of infected machine or zombies network, the HTTP POST attack works by sending the server a message that tells it how much data is going to be sent. Then instead of trying to get that data to the server as fast as possible, it is sent very slowly. The net effect is that the server leaves resources open waiting for the data, and eventually runs out of connections.
You can find OWASP AppSec DC 2010 presentation slides by Tom Brennan and Wong Onn Chee over here.
make sure you subscribe to my RSS feed!