What is slow HTTP post DOS attack?

Slow HTTP post attack

Slow HTTP post attack is a type of denial of service attack. An attacker sends a legitimate HTTP POST request with the header Content-Length specified. The attacker then proceeds to send this content slowly. The server establishes a connection to the client and keeps it open to receive the request that it thinks is legitimate.

The attacker sends the number of such requests and effectively occupies the server’s entire connection pool. It blocks the service for other legitimate users and results in a denial of service.

Slow post attacks do not require a lot of resources for the attacker, and hence they are easy to launch and hard to mitigate.

Normal request cycle vs. slow HTTP post cycle

In a normal request-response cycle, the client sends the request to the server, and the server responds. In a slow post-attack, the client sends the post request body very slowly to hog the network connection for a long period of time. Multiple such connections and the server will have no bandwidth to accept new connections.

Identify slow HTTP Post attacks

In the slow post attacks, the sender sends the data extremely slowly but not slow enough for the server to timeout. In these attacks, the server would have a lot of connected clients. However, the actual processing load on the server would not be that high.

Prevent slow HTTP Post attacks

It is hard to differentiate these attacks from genuine slow connections, so they are difficult to prevent completely. However, certain steps can be taken to avoid these attacks:

  1. Set an absolute connection timeout based on the median of request lengths. This should handle most cases of legitimate requests.
  2. Establish a minimum incoming data rate and drop any connections that have a rate slower than that.
  3. Reject or drop connections to HTTP methods that are not supported by the server.
  4. Have a reasonably large queue of connections to withstand a small HTTP Slow Post Attack.

Free Resources