# Slow DoS attack

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Slow_DoS_attack
> Markdown URL: https://mediated.wiki/source/Slow_DoS_attack.md
> Source: https://en.wikipedia.org/wiki/Slow_DoS_attack
> Source revision: 1351623369
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Short description|Category of denial-of-service attack}}
The term '''slow DoS attack''' ('''SDA''') was introduced in 2013,<ref name="categorization">{{cite journal|last1=Cambiaso|first1=Enrico|last2=Papaleo|first2=Gianluca|last3=Chiola|first3=Giovanni|last4=Aiello|first4=Maurizio|title=Slow DoS attacks: definition and categorisation|journal=International Journal of Trust Management in Computing and Communications|date=2013|volume=1|issue=3/4|pages=300–319|doi=10.1504/IJTMCC.2013.056440|hdl=11567/571723 |hdl-access=free}}</ref> to clearly define a specific category of [denial-of-service attack](/source/denial-of-service_attack)s which make use of low-bandwidth rate to accomplish their purpose. Similar terms can be found in literature, such as:
* [application layer DoS](/source/Application_layer_DDoS_attack),<ref>{{cite journal|last1=Mantas|first1=Georgios|last2=Stakhanova|first2=Natalia|last3=Gonzales|first3=Hugo|last4=Hadian Jazi|first4=Hossein|last5=Ghorbani|first5=Ali A.|title=Application-layer denial of service attacks: taxonomy and survey|journal=International Journal of Information and Computer Security|date=2015|volume=7|issue=2–4|pages=216–239|doi=10.1504/IJICS.2015.073028|s2cid=3384390 |url=http://gala.gre.ac.uk/id/eprint/33522/1/33522_MANTAS_%20Application_layer_denial_of_service_attacks.pdf }}</ref> focusing on attacks targeting the application layer only, while a slow DoS attack may exploit lower-layers of the [ISO/OSI](/source/OSI_model) stack
* low-rate DoS,<ref>{{cite journal|last1=Wu|first1=Zhijun|last2=Zhang|first2=Liyuan|last3=Yue|first3=Meng|title=Low-Rate DoS Attacks Detection Based on Network Multifractal|journal=IEEE Transactions on Dependable and Secure Computing|date=2015|volume=13|issue=5|pages=559–567|doi=10.1109/TDSC.2015.2443807|s2cid=14728946 }}</ref> focusing on the characteristics of using a limited amount of attack bandwidth, hence, for instance, including also exploit-based threats

Particularly, in order to reduce bandwidth, a slow DoS attack often acts at the application layer of the [ISO/OSI](/source/OSI_model) stack (e.g. in case of ''timeout exploiting'' threats<ref name="slownext">Cambiaso, Enrico; Papaleo, Gianluca; Chiola, Giovanni; Aiello, Maurizio (2015). "Designing and modeling the slow next DoS attack". ''Computational Intelligence in Security for Information Systems Conference (CISIS 2015)''. 249-259. Springer.</ref>), although this is not a requirement.<ref>{{cite journal|last1=Cambiaso|first1=Enrico|last2=Chiola|first2=Giovanni|last3=Aiello|first3=Maurizio|title=Introducing the SlowDrop Attack|journal=Computer Networks|date=2019|volume=150|issue=|pages=234–249|doi=10.1016/j.comnet.2019.01.007|s2cid=60442737 |doi-access=free|hdl=11567/942438|hdl-access=free}}</ref> Such layer is however easier to exploit in order to successfully attack a victim even by sending it a few bytes of malicious requests.

The purpose of a slow DoS attack is (often, but not always<ref name="slownext" />) to cause unavailability of a network service, by seizing all the connections the [daemon](/source/Daemon_(computing)) is able to concurrently manage, at the application layer. Under such conditions, any new incoming connection, even from potentially legitimate clients, will not be accepted by the daemon, hence leading to a denial of service. In addition, once a connection is established/sized by the attacker, the adversary would keep it alive as long as possible (hence, avoiding connection closures, which could potentially free-up resources for legitimate clients).

==Exploited parameters==
According to Cambiaso et al,<ref name="categorization"/> slow DoS attacks exploit one or more parameters characteristics of [TCP](/source/Transmission_Control_Protocol)-based connections. (Technically any stateful protocol that has a connection count limit will work, but TCP is the most common.) Such parameters are exploited to keep connections alive longer than expected by preserving the attack bandwidth, hence seizing the [server](/source/Server_(computing)) resources for long times, by at the same time reducing attack resources.

=== Timeout ===

Many protocols include a timeout system for deciding when to close a connection. This may be a feature central to a protocol’s design (e.g. [SSH](/source/secure_shell) uses a single open connection to interact) or an added feature (e.g. [HTTP persistent connection](/source/HTTP_persistent_connection) allows a connection to be reused, saving resources). However, because the server promises to keep a connection open for a given amount of time, a malicious client can simply open many connections each requesting a long keep-alive timeout; the long timeout enables the attacker to keep connections open at a low resource cost. <ref name="slowite">Vaccari, I., Aiello, M., Cambiaso, E. (2020). SlowITe, a novel denial of service attack affecting MQTT. Sensors, 20(10), 2932. {{doi|10.3390/s20102932|doi-access=free}}.</ref>

In order to keep connections alive, reducing at the same time the attack bandwidth, considering a single connection, data are sent to the target service only at specific times, by exploiting the so-called ''Wait Timeout'' parameter,<ref name="categorization" /> scheduling a periodic data sending activity (at the application layer): once the timeout expires, a specific [payload](/source/Payload_(computing)) (depending on the attack type and the approach used by the malicious user) is sent to the targeted daemon. While at lower layers of the ISO/OSI stack, timeouts may be relatively short, in this case, it may assume particularly long values, in the order of minutes.

== Mitigations ==
A server can count and limit the number of connections made by each client (usually identified by IP address).<ref name=cf> https://www.cloudflare.com/en-ca/learning/ddos/ddos-attack-tools/slowloris/ "Techniques such as limiting the maximum number of connections a single IP address is allowed to make, restricting slow transfer speeds, and limiting the maximum time a client is allowed to stay connected are all approaches for limiting the effectiveness of low and slow attacks."</ref>

A server can reduce the maximum timeout used.<ref name=cf/> 

A server can modify its timeout algorithm to require a more substantial amount of data to be transferred in a given time frame before it considers the connection to be still alive. In other words, connections that are too slow are considered dead.<ref name=cf/>

==See also==
* [Slowloris (computer security)](/source/Slowloris_(computer_security))
* [SlowDroid](/source/Slowdroid)
* [Trinoo](/source/Trinoo)
* [Stacheldraht](/source/Stacheldraht)
* [Denial of service](/source/Denial_of_service)
* [LAND](/source/LAND)
* [Low Orbit Ion Cannon](/source/Low_Orbit_Ion_Cannon)
* [High Orbit Ion Cannon](/source/High_Orbit_Ion_Cannon)

==References==
{{Reflist}}

Category:Denial-of-service attacks

---
Adapted from the Wikipedia article [Slow DoS attack](https://en.wikipedia.org/wiki/Slow_DoS_attack) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Slow_DoS_attack?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
