Slow Headers Attack Vulnerability (Slowloris) and its impact on eDirectory

  • Document ID:7016718
  • Creation Date:30-Jul-2015
  • Modified Date:13-Aug-2015
    • Micro Focus Products:
      eDirectory

Environment

NetIQ eDirectory 8.8 SP8

Situation

Slow Headers Attack Vulnerability (Aka. Slowloris Attack)
 
The HTTP Protocol Stack stack (HTTPSTK) within eDirectory 8.8 SP8 has been found to be vulnerable to a Slowloris attack.  This stack supports iMonitor services.  The vulnerability was found by running the Acunetix Web Vulnerability scanner.
 
Slowloris is a perl-based HTTP client first released in 2009.  Its attack is one of a number of slow-pased HTTP attacks that rely on the HTTP protocol's behavior of waiting for a connection's complete request.  If a http request is not complete or if the bit-rate is slow the server will keep that thread busy waiting for the rest of the request to be received.  If too many of these requests are received the server's resources will be expended resulting in a DoS (denial of service).  This attack is popular since it requires low bandwidth as compared to other types of DoS attacks.  It also has minimal impact on a server's other services. 
  
Slowloris allows one workstation to take down a server.  It creates many HTTP connections to a server and tries to keep them held open for as long as possible.  It does this by continually sending partial HTTP headers which add to but never complete the prior request.  On a thread-by-thread basis it is diffiicult to differentiate between this type of attack and simply a slow client.
 

Resolution

This has been reported to Engineering.
 
In the meantime the following can be used to mitigate the attack:
 
1. Disable the http stack.
Rem out the modules from /etc/opt/novell/eDirectory/conf/ndsmodules.conf and restart NDSD.
#httpstk auto #DHost HTTP Stack
hconserv auto #HConServ
nldap auto #LDAP Server
#imon auto #iMon
embox auto #eMBox
pkiserver auto #PKI server
ssncp auto #SecretStore
 
2. Setup IP tables to only allow 10 connections per address per 15 seconds and drop anything over it.
Example:
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent \
--name slowloris --set
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent \
--name slowloris --update --seconds 15 --hitcount 10 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Keep in mind this will lead to many false positives but will not affect lengthy file transfers as other timeouts might.