27

I am investigating the vulnerability to Slowloris and I think I understand how and why this sort of attack works.

What I don't understand is why Lighttpd and NginX are not affected (according to the same article as linked above). What do they make so different?

Alexis Wilke
  • 2,057
  • 1
  • 18
  • 33
The Shurrican
  • 2,230
  • 7
  • 39
  • 58

3 Answers3

27

Apache has a theory of 'Maximum Clients'

That is the number of simultaneous connections it can handle. I.E. if an apache server has a 'max clients' limit of 100, and each request takes 1 second to complete, it can handle a maximum of 100 requests per second.

An application like SlowLoris will flood a server with connections, in our example if SlowLoris sends 200 connections per second, and Apache can only handle 100 connections per second the connection queue will keep getting bigger and use up all the memory on the machine bringing it to a hault. This is similar to the way Anonymous' LOIC works.

NGINX and Lighttpd (Among others) don't have a maximum connections, they use worker threads instead so, theoretically, there's no limit to the number of connections they can handle.
If you monitor your Apache connections, you'll see that the majority of the active connections are 'Sending' or 'Receiving' data from the client. In NGINX/Lighttpd they just ignore these requests and let them run on in the background, not using up system resources, and it only has to process connections with something going on (Parsing responses, reading data from backend servers etc.)

I actually answered a similar question this afternoon, so the information in there might also be interesting to you Reducing Apache request queuing

Smudge
  • 24,039
  • 15
  • 57
  • 76
  • Good and very detailed answer. +1 – Oldskool Dec 29 '11 at 13:17
  • 8
    Minor correction: nginx does not use worker threads to achieve high number of connections. From [nginx.org](http://wiki.nginx.org/Main): "Nginx doesn't rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture" – Day Mar 26 '13 at 16:28
  • 2
    Although a possible side effect, the intent of Slowloris isn't to "use up all memory on the machine", but rather exhaust the maximum connection capacity denying subsequent connections from succeeding. – wulfgarpro May 14 '17 at 02:46
  • @Day Nginx does use worker threads to support it's asynchronous operation. A useful application architecture schematic is provided here: http://www.aosabook.org/en/nginx.html#fig.nginx.arch – Terry Burton Feb 20 '19 at 23:40
17

Nginx is actually vulnerable to slowloris attack. Scarce resource is the maximum number of simultaneous worker connections. This number can be calculated as worker_connections * worker_processes and equals to 512 in default nginx configuration. So, it is quite easy to take down unprotected nginx with tools such as goloris.

valyala
  • 279
  • 2
  • 4
10

valyala's comment should be accepted as the answer.

Most nginx servers use default configs and therefore vulnerable to slowloris attack. I have used slowloris to take down some of my friend's nginx websites using only my laptop and usually it took less than 5 minutes (my friends challenged me to do so).

As valyala stated, technically, nginx is not vulnerable to slowloris, but the default configs limit the max number of connections, so when the connections exceed that number, nginx drops the new request, which results in a denial of service.

The known ways to protect nginx from slowloris include limiting the number of connections from the same IP, and increasing the worker_connections config. The attack can still works, but it gets harder (maybe taking more than 5 minutes? :D)

Nguyen Phan Tan
  • 201
  • 2
  • 3