A new HTTP-based threat, dubbed a "Slow Read attack" aims to cause an undetected Denial of Service (DoS) by exploiting a transmission control protocol (TCP) persist timer vulnerability. According to an article in ARS Technica, the attack sends a legitimate HTTP request to a server, but then reads the response very slowly, forcing connections to stay open. Data fills the server's send buffer and holds it there as the server continues to poll the client for write-space availability until a DoS occurs. Slow Read's response-based behavior is likely to go undetected because it may seemingly mimic a legitimate slow client or because the server is not sufficiently tuned to protect against slow HTTP attacks.This type of attack differs from Slowloris, a request-based slow DoS attack that ties up web servers by sending partial HTTP requests at regular intervals to keep sockets open.

Slow attacks may be of particular interest to small and midsize businesses (SMBs) because the attack can theoretically be caused by a singular source computer and be nearly impossible to detect until it is too late. Further, merely tuning the server without running tests or planning on other mitigation techniques may end up filtering out legitimate users who are simply slow.

Researcher Sergey Shekyan at Qualys Security Labs created the Slow Read attack. According to Shekyan, the parameters for creating the attack include causing the server to send a response that is larger than its send buffer and sending the response to a much smaller client receive buffer. Knowing the size of the send buffer is not that difficult because the default value is between 65Kb and 128Kb. So, the goal is to send a legitimate HTTP request that will generate a response larger than 128Kb, which is also not difficult to do. Creating a small receive buffer means response data remains pending and the connection to the client stays active. In terms of detection, vulnerabilities may exist if the server accepts initial packets sent across TCP with an abnormally small window, if HTTP pipelining is enabled, or if persistent connections are enabled.

SMBs are particularly vulnerable to slow HTTP attacks because of their limited budget, time, and staff necessary to maintain servers and to mitigate risk. Sometimes web server platforms are set up once--often with default parameters--and maintenance is done only when there is time to do so, when it becomes absolutely necessary, or only with an eye toward reducing downtime and not necessarily with an eye towards security and protection. At the very least, best practices dictate scheduling routine maintenance and system protection, periodically auditing server configuration and keeping on top of security patches.

IT administrators who want to become familiar with slow HTTP attacks can look at Qualys Security Labs' slowhttptest tool. The configurable tool is designed to aid IT administrators in creating slow HTTP attack scenarios to test a server's vulnerabilities. SpiderLabs has run some example tests using the slowhttptest tool and has developed some interesting mitigation techniques that are worth looking at. Becoming familiar with these types of techniques may help to protect the enterprise from Slow Read attacks.