Highlighted
Absent Member.
Absent Member.
908 views

Detecting Slow DoS Attack using SIEM

Greetings of the day,

Need your expert inputs on detecting Slow DoS attacks!!

I have seen increasing number of Slow DoS attacks recently since unlike DoS or DDoS, carrying out Slow DoS attacks do not require abundant resources. It is very difficult to detect these attacks at IDS/IPS or WAF level, so i looking for a way to detect this in SIEM using web server logs.

Referencing these blog - https://blogs.akamai.com/2013/09/slow-dos-on-the-rise.html andhttp://www.slashroot.in/slowloris-http-dosdenial-serviceattack-and-prevention

Focusing on three major types of Slow DoS attacks are described in this blog. I will give a short summary

Type 1 - Slow HTTP Headers - Header data is sent at a slow rate (less than server timeout) to server has to wait to fulfill the request

Detection? Few slow requests will obviously not bring down the server so the attacker has to maintain the slow headers for sometime. Wondering whether we can detect this on Firewall - multiple request with small packet size in a fixed time difference.

Type 2 - Slow HTTP Post - Header has a abnormally long content length suggesting the body content is huge. Web server waits for the huge body content causing DoS

Detection? - Unless the headers are logged by web servers even before the request (header + body) is completed, i cannot think of a way to detect this

Type 3 - from second blog - Missing CRLF at the end of Header. Here 2 CRLF denote a blank line which suggests the end of header and start of request body. Instead of 2 CRLF, 1 is sent causing the server to wait for the complete header

Detection? - Again, this can only be detected if the web server logs incomplete headers. Any other ideas?

Let me know your thoughts.

Regards,

SUJAY MENDON

0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.