What is a Slow Post DDoS Attack?
In a Slow Post DDoS attack, the attacker sends legitimate HTTP POST headers to a Web server. In these headers, the sizes of the message body that will follow are correctly specified. However, the message body is sent at a painfully low speed. These speeds may be as slow as one byte every two minutes.
Since the message is handled normally, the targeted server will do its best to follow specified rules. As in a Slowloris attack, the server will subsequently slow to a crawl. Making matters worse, when attackers launch hundreds or even thousands Slow POST attacks at the same time, server resources are rapidly consumed, making legitimate connections unachievable.
What Are the Signs of a Slow Post DDoS Attack?
Slow Post attacks are characterized by the transmission of HTTP post header requests that target thread-based web servers, sending data extremely slowly, but not slowly enough for the server to time out. Because the server keeps the connection open in anticipation of additional data, genuine users are prevented from accessing the server. The servers would appear to have a large number of connected clients but the actual processing load would be very low. Protect your servers with NETSCOUT's Arbor DDoS mitigation platform.
Prevent Slow Post DDoS Attacks with NETSCOUT
Why Are Slow Post DDoS Attacks Dangerous?
Because Slow Post DDoS attacks don’t require extensive bandwidth, such as is needed with brute-force DDoS attacks, they can be difficult to differentiate from normal traffic. Since these types of application layer DDoS attacks don’t require a great deal of resources, they can be instigated from a single computer, making them very easy launch and hard to mitigate.
How to Mitigate and Prevent a Slow Post DDoS Attack
Since traditional rate detection techniques won’t stop a Slow Post DDoS attack, one method is to upgrade server availability. The thinking is that the more connections that are available on the server, the less likely an attack will overwhelm that server. Unfortunately, in many cases, the attacker will simply scale up the attack to attempt to overload the increased server capacity.
Another approach is reverse-proxy-based protection, which will intercept Slow Post DDoS attacks prior to reaching the server.
While no measures will completely eliminate the threat of Slow Post DDoS attacks, the following are additional DDoS mitigation steps that can be taken:
- Set tighter URL-specific limits for every resource that accepts a message header and body.
- Set an absolute connection timeout based on the median of connections from legitimate clients.
- For HTTP servers that support a backlog, ensure the backlog is large enough to withstand a small DDoS attack.
- Establish a minimum incoming data rate, then drop any connections that are slower than that rate.
- Consider adding further DDoS protection measures such as event-driven software load balancers, hardware load balancers to perform delayed binding, and intrusion detection/prevention systems to drop connections that match suspect behavior patterns gleaned from log files.
Protect from Slow Post DDoS Attacks
How can NETSCOUT help?
NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.
Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.
Arbor SP/Threat Mitigation System
NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Cyber Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.