{{Short description|Category of denial-of-service attack}} The term '''slow DoS attack''' ('''SDA''') was introduced in 2013,<ref name="categorization">{{cite journal|last1=Cambiaso|first1=Enrico|last2=Papaleo|first2=Gianluca|last3=Chiola|first3=Giovanni|last4=Aiello|first4=Maurizio|title=Slow DoS attacks: definition and categorisation|journal=International Journal of Trust Management in Computing and Communications|date=2013|volume=1|issue=3/4|pages=300–319|doi=10.1504/IJTMCC.2013.056440|hdl=11567/571723 |hdl-access=free}}</ref> to clearly define a specific category of denial-of-service attacks which make use of low-bandwidth rate to accomplish their purpose. Similar terms can be found in literature, such as: * application layer DoS,<ref>{{cite journal|last1=Mantas|first1=Georgios|last2=Stakhanova|first2=Natalia|last3=Gonzales|first3=Hugo|last4=Hadian Jazi|first4=Hossein|last5=Ghorbani|first5=Ali A.|title=Application-layer denial of service attacks: taxonomy and survey|journal=International Journal of Information and Computer Security|date=2015|volume=7|issue=2–4|pages=216–239|doi=10.1504/IJICS.2015.073028|s2cid=3384390 |url=http://gala.gre.ac.uk/id/eprint/33522/1/33522_MANTAS_%20Application_layer_denial_of_service_attacks.pdf }}</ref> focusing on attacks targeting the application layer only, while a slow DoS attack may exploit lower-layers of the ISO/OSI stack * low-rate DoS,<ref>{{cite journal|last1=Wu|first1=Zhijun|last2=Zhang|first2=Liyuan|last3=Yue|first3=Meng|title=Low-Rate DoS Attacks Detection Based on Network Multifractal|journal=IEEE Transactions on Dependable and Secure Computing|date=2015|volume=13|issue=5|pages=559–567|doi=10.1109/TDSC.2015.2443807|s2cid=14728946 }}</ref> focusing on the characteristics of using a limited amount of attack bandwidth, hence, for instance, including also exploit-based threats

Particularly, in order to reduce bandwidth, a slow DoS attack often acts at the application layer of the ISO/OSI stack (e.g. in case of ''timeout exploiting'' threats<ref name="slownext">Cambiaso, Enrico; Papaleo, Gianluca; Chiola, Giovanni; Aiello, Maurizio (2015). "Designing and modeling the slow next DoS attack". ''Computational Intelligence in Security for Information Systems Conference (CISIS 2015)''. 249-259. Springer.</ref>), although this is not a requirement.<ref>{{cite journal|last1=Cambiaso|first1=Enrico|last2=Chiola|first2=Giovanni|last3=Aiello|first3=Maurizio|title=Introducing the SlowDrop Attack|journal=Computer Networks|date=2019|volume=150|issue=|pages=234–249|doi=10.1016/j.comnet.2019.01.007|s2cid=60442737 |doi-access=free|hdl=11567/942438|hdl-access=free}}</ref> Such layer is however easier to exploit in order to successfully attack a victim even by sending it a few bytes of malicious requests.

The purpose of a slow DoS attack is (often, but not always<ref name="slownext" />) to cause unavailability of a network service, by seizing all the connections the daemon is able to concurrently manage, at the application layer. Under such conditions, any new incoming connection, even from potentially legitimate clients, will not be accepted by the daemon, hence leading to a denial of service. In addition, once a connection is established/sized by the attacker, the adversary would keep it alive as long as possible (hence, avoiding connection closures, which could potentially free-up resources for legitimate clients).

==Exploited parameters== According to Cambiaso et al,<ref name="categorization"/> slow DoS attacks exploit one or more parameters characteristics of TCP-based connections. (Technically any stateful protocol that has a connection count limit will work, but TCP is the most common.) Such parameters are exploited to keep connections alive longer than expected by preserving the attack bandwidth, hence seizing the server resources for long times, by at the same time reducing attack resources.

=== Timeout ===

Many protocols include a timeout system for deciding when to close a connection. This may be a feature central to a protocol’s design (e.g. SSH uses a single open connection to interact) or an added feature (e.g. HTTP persistent connection allows a connection to be reused, saving resources). However, because the server promises to keep a connection open for a given amount of time, a malicious client can simply open many connections each requesting a long keep-alive timeout; the long timeout enables the attacker to keep connections open at a low resource cost. <ref name="slowite">Vaccari, I., Aiello, M., Cambiaso, E. (2020). SlowITe, a novel denial of service attack affecting MQTT. Sensors, 20(10), 2932. {{doi|10.3390/s20102932|doi-access=free}}.</ref>

In order to keep connections alive, reducing at the same time the attack bandwidth, considering a single connection, data are sent to the target service only at specific times, by exploiting the so-called ''Wait Timeout'' parameter,<ref name="categorization" /> scheduling a periodic data sending activity (at the application layer): once the timeout expires, a specific payload (depending on the attack type and the approach used by the malicious user) is sent to the targeted daemon. While at lower layers of the ISO/OSI stack, timeouts may be relatively short, in this case, it may assume particularly long values, in the order of minutes.

== Mitigations == A server can count and limit the number of connections made by each client (usually identified by IP address).<ref name=cf> https://www.cloudflare.com/en-ca/learning/ddos/ddos-attack-tools/slowloris/ "Techniques such as limiting the maximum number of connections a single IP address is allowed to make, restricting slow transfer speeds, and limiting the maximum time a client is allowed to stay connected are all approaches for limiting the effectiveness of low and slow attacks."</ref>

A server can reduce the maximum timeout used.<ref name=cf/>

A server can modify its timeout algorithm to require a more substantial amount of data to be transferred in a given time frame before it considers the connection to be still alive. In other words, connections that are too slow are considered dead.<ref name=cf/>

==See also== * Slowloris (computer security) * SlowDroid * Trinoo * Stacheldraht * Denial of service * LAND * Low Orbit Ion Cannon * High Orbit Ion Cannon

==References== {{Reflist}}

Category:Denial-of-service attacks