What is a Low and Slow DDoS Attack?
A Low and Slow DDoS attack, also known as a slow-rate attack, involves what appears to be legitimate traffic at a very slow rate. This type of state exhaustion DDoS attack targets application and server resources and is difficult to distinguish from normal traffic.
Common attack tools include Slowloris, Sockstress, and R.U.D.Y. (R U Dead Yet?), which create legitimate packets at a slow rate, thus allowing the packets to go undetected by traditional mitigation strategies.
Low and slow attacks are often HTTP focused, but can also involve Long-Lived TCP sessions (slow transfer rates) that attack any TCP-based service.
What Are the Signs of a Low and Slow DDoS Attack?
Detecting a Low and Slow DDoS attack, such as a R.U.D.Y. attack, can be accomplished by performing network behavioral analysis during normal operations and then comparing this data to periods when an attack might be occurring. For instance, if a user requires considerable increased time to complete a transaction that normally would only take 10 seconds, then an attack is likely taking place and additional security steps should be taken.
Why Are Low and Slow Attacks Dangerous?
Traffic from Low and Slow DDoS attacks is especially hard to detect because they appear like legitimate traffic on the Application Layer to network focused security devices. And since these types of DDoS attacks don’t require extensive resources to execute, they can be launched from a single computer, making it possible for virtually anyone to launch such an attack.
The increased proliferation of vulnerable IoT devices, makes it easy for attackers to build huge Botnets which can participate in such a DDoS attack, resulting in the destination system being unable to service legitimate requests.
How to Mitigate and Prevent a Low and Slow DDoS Attack
Detecting Low and Slow DDoS attacks necessitates real-time monitoring of the resources under attack, such as CPU, memory, connection tables, application states, application threads, etc. One method for mitigating low and slow DDoS attacks is by upgrading and improving server availability. By having more connections available, it is less likely a server will be overwhelmed by an attack. However, the attacker may simply scale their attack to overcome the available resources.
Another option is to deploy a purpose-built Intelligent DDoS Mitigation System (IDMS) in data centers that run the key applications you are trying to protect. These IDMS can be further tuned to protect the applications/services running behind them.
Additional mitigation approaches might include reverse-proxy based DDoS protection, which is designed to prevent DDoS attacks before they can reach the target server.
Constant monitoring of the status of resource allocation and trends of protected servers, can help to pin point attempts to overwhelm those resources. Or, you could simply proactively protect them with IDS.
How can NETSCOUT help?
NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.
Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.
Arbor SP/Threat Mitigation System
NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Cyber Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.