Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.
A low and slow attack is a type of denial-of-service (DoS) attack designed to evade detection by sending application traffic or commonly HTTP requests that appear to be legitimate, but at a very slow rate of volume. Also known as a slow-rate attack, low and slow attacks require little bandwidth and may be launched from a single computer or with a botnet. Traffic from this type of attack is difficult to detect because it appears to be legitimate OSI Model Layer 7 (the application layer) traffic and is not sent at a rate that triggers volumetric security alerts.
Brute-force attacks may also use a low and slow methodology, attempting to gain unauthorized access to an account or system by guessing the username and password at a relatively slow rate to avoid detection or triggering a lockout. Attackers leverage large networks of infected or compromised hosts to conduct such attacks, typically ranging from thousands to millions of bots.
What is a DoS or DDoS attack?
Denial-of-service attacks and distributed denial-of-service (DDoS) attacks target servers, websites, applications, or networks by inundating them with malicious traffic. By sending traffic or requests that eventually exhaust the processing, bandwidth, or memory resources of a server, denial-of-service attacks cause the device to slow down or crash, making it unavailable for valid traffic and legitimate users. A DoS attack uses a single device to generate traffic. A DDoS attack generates traffic by using thousands or millions of malware-infected devices that are under the control of cybercriminals.
How do low and slow attacks work?
In contrast to other denial-of-service attacks that bombard a server with massive amounts of traffic in a short period of time, low and slow DDoS attacks send small amounts of malicious traffic to the target to avoid sudden spikes that could trigger security alerts. This type of attack sends traffic to thread-based web servers, tying up each thread with slow requests. When this is done on a progressively larger scale, the server is eventually prevented from responding to legitimate traffic. Low and slow attacks often focus on HTTP but may also involve TCP sessions with slow transfer rates directed at any TCP-based service.
Why are low and slow attacks effective?
Low and slow attacks are effective because they fly under the radar of intrusion detection systems. Because the traffic sent to servers creates packets at a very slow rate, it is difficult to distinguish from legitimate traffic. By limiting the rate of requests sent to a server, low and slow attacks can evade rate protection techniques typically used to identify and block traditional DDoS attacks.
What are common types of low and slow attacks?
Three of the most common low and slow attacks include:
- Slowloris. A Slowloris attack connects to a server and slowly sends partial HTTP headers, causing the server to keep the connection open as it waits for the rest of the header. By consuming the maximum number of connections available on the server, Slowloris attacks eventually exhaust the server’s resources and prevent it from responding to legitimate users.
- Sockstress. A Sockstress attack exploits a vulnerability in the TCP/IP three-way handshake to create an indefinite connection.
- R.U.D.Y. This attack (an acronym for R-U-Dead-Yet?) generates HTTP POST requests to fill out form fields. Because the malicious requests do not say how much data to expect and then send data in very slowly, a server will continue to keep connections open, anticipating the arrival of more data.
How are low and slow attacks best mitigated?
Stopping low and slow attacks requires cybersecurity teams to deploy a multilayered approach to mitigation.
- Behavioral analysis. By analyzing normal traffic patterns and continuously monitoring traffic behavior in real time, security teams may notice anomalies that point to a low and slow attack.
- Real-time monitoring. Monitoring resources such as CPU, memory, application states, connection tables, application threads, and other resources may reveal anomalies that point to an attack underway.
- Increased connections. Upgrading server availability and adding more connections make it more difficult for a low and slow attack to exhaust a server’s resources.
- Reverse proxy-based protection. This approach mitigates low and slow attacks before they reach the origin server.
- Deployment of DDoS mitigation and DDoS protection solutions. DDoS protection solutions offer various technologies, such as web application firewalls, to detect and mitigate attacks.