Detecting Slow DoS Attack using SIEM
Greetings of the day,
Need your expert inputs on detecting Slow DoS attacks!!
I have seen increasing number of Slow DoS attacks recently since unlike DoS or DDoS, carrying out Slow DoS attacks do not require abundant resources. It is very difficult to detect these attacks at IDS/IPS or WAF level, so i looking for a way to detect this in SIEM using web server logs.
Focusing on three major types of Slow DoS attacks are described in this blog. I will give a short summary
Type 1 - Slow HTTP Headers - Header data is sent at a slow rate (less than server timeout) to server has to wait to fulfill the request
Detection? Few slow requests will obviously not bring down the server so the attacker has to maintain the slow headers for sometime. Wondering whether we can detect this on Firewall - multiple request with small packet size in a fixed time difference.
Type 2 - Slow HTTP Post - Header has a abnormally long content length suggesting the body content is huge. Web server waits for the huge body content causing DoS
Detection? - Unless the headers are logged by web servers even before the request (header + body) is completed, i cannot think of a way to detect this
Type 3 - from second blog - Missing CRLF at the end of Header. Here 2 CRLF denote a blank line which suggests the end of header and start of request body. Instead of 2 CRLF, 1 is sent causing the server to wait for the complete header
Detection? - Again, this can only be detected if the web server logs incomplete headers. Any other ideas?
Let me know your thoughts.