Comments on: Slowloris and Nkiller2 vs. the Cisco CSS load balancer

By: nixmicrosoft » Blog Archive » Slowloris HTTP DoS

nixmicrosoft » Blog Archive » Slowloris HTTP DoS — Mon, 05 Apr 2010 03:01:05 +0000

[...] Cisco CSS (verified by user community) [...]

By: My Personal Diary » Blog Archive » Slowloris HTTP DoS Attcak

My Personal Diary » Blog Archive » Slowloris HTTP DoS Attcak — Thu, 26 Nov 2009 15:58:59 +0000

[...] Cisco CSS (verified by user community) [...]

By: Barrapunto | slowloris: Ataque de denegación de servicio para Apache 1.x « El camello, el Leon y el niño. O la evolución del perro al lobo

Fri, 28 Aug 2009 14:29:13 +0000

[...] Cisco CSS (verified by user community) [...]

By: Financeportal.eu » Blog Archive » Pozor na závažnú zraniteľnosť Apache-u!

Tue, 25 Aug 2009 09:42:21 +0000

[...] Cisco CSS (potvrdené komunitou) [...]

By: Reeza

Reeza — Thu, 02 Jul 2009 07:54:40 +0000

Hey all, would I be right in concluding that this would be effective whether slowloris or similar attack tool were used by one attack source or many (i.e. Distributed DoS using a botnet)?

By: Ryan

Ryan — Mon, 29 Jun 2009 16:23:39 +0000

@Motoma I used the -httpready switch with slowloris against a CSS configuration with Delayed Binding, and the HTTP Request still does not make it back to the Apache HTTP Server, I looked at the HTTP Request Header and the HTTP Method is the only thing that changed with the -httpready switch.

By: Slowloris HTTP DoS - .:: tt ::.

Slowloris HTTP DoS - .:: tt ::. — Sun, 28 Jun 2009 03:52:55 +0000

[...] Cisco CSS (verified by user community) [...]

By: Motoma

Motoma — Sat, 27 Jun 2009 12:28:08 +0000

Interesting findings.

RSnake mentioned in his article that HTTPReady was originally considered to be a tool for mitigating the SlowLoris attack because it holds connections until full requests come through. The way SlowLoris gets around this is by issuing POST requests instead of GET. To do this, you only need to enable the -httpready flag in SlowLoris.

It would be interesting to see how the Load Balancer handles POST requests. POSTs are different, because they can contain large amounts of data; were the Load Balancer to buffer these, one could overwhelm the it by sending a large number of big POSTs.

By: Ryan

Ryan — Fri, 26 Jun 2009 17:10:51 +0000

@Ennioac
Cisco CSS must have a front side delayed binding configuration applied the the HTTP content rule, this can be accomplished by putting a url in the content rule, for example:
content site_80_load_balanced
vip address 10.88.55.2
protocol tcp
port 80
url “/*”
add service server1
add service server2
active

If you have a SSL passing through your CSS to an Apache based server (and there are more than you think, for example IBM has a few!) you can configure back-end ssl on the CSS, refer to http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a0080220dab.shtml

By: Pozor na závažnú zraniteľnosť Apache-u!

Pozor na závažnú zraniteľnosť Apache-u! — Thu, 25 Jun 2009 00:35:58 +0000

[...] Cisco CSS (potvrdené komunitou) [...]

By: Ennioac

Ennioac — Wed, 24 Jun 2009 15:56:23 +0000

Hi Frank and Gert, I understand that the Cisco CSS is immune (wonderful work I might add!) but did the CSS need to be tweeked at all or was is a basic config?

Again, awesome work! Thanks and take care.
Ennio

By: mnomic

mnomic — Tue, 23 Jun 2009 11:55:03 +0000

Hi Frank,

FYI:
http://isc.sans.org/diary.html?storyid=6622

Regards.

By: Trey Guinn

Trey Guinn — Tue, 23 Jun 2009 08:15:37 +0000

Nicely done, guys!

By: Dennis

Dennis — Mon, 22 Jun 2009 21:19:58 +0000

Good stuff Frank + Gert.

Good to hear that the Cisco CSS mitigates this DDOS risk introduced by these tools. I’ll update the corresponding ITSEC ticket for our customer resp inform them about your findings.

Again, excellent work gents!