In recent years, there is a growing trend to attack HTTP servers by simply exhausting TCP connections. The attack is called Slow HTTP Get&Post Attack and many HTTP servers, including IIS servers, Apache servers and Nginx servers, suffer this kind of DDoS attack. In this article, it is showed that how Slow HTTP Get&Post Attack takes down Internet servers and how to use Anti DDoS Guardian to protect Windows servers from slow HTTP Get&Post Attack.
For a HTTP server, the number of maximum concurrent TCP connections is limited to a certain value, such as 5000 for a Windows 2003 server. If a user makes a lot of concurrent TCP connections to exceed the maximum value, the HTTP server will not response any more requests. Some tools were developed to make this kind of DDoS attack and the most famous ones are Slowloris HTTP Dos, OWASP HTTP Post tool and slowhttptest. These tools implement most common low-bandwidth Application Layer DoS attacks. The technical details are different, some create HTTP Get DoS attacks while others make HTTP Post DoS attacks.
The above picture shows OWASP HTTP Post Tool, which was created to allow you to test your web applications to test availability concerns from Layer7 DoS HTTP GET and HTTP POST denial of service attacks.
Anti DDoS Guardian can stop slow HTTP Get&Post attacks by means of limiting the TCP concurrent connection number for each client computer. If one client computer tries to access a Windows server with many TCP connections, such as 30 concurrent connections, the client computer will be marked as suspicious one and the IP address of that computer will be blocked for a certain period.
The option dialog of Anti DDoS Guardian is showed as above. Due to the options 2.5, 2.6, 2.7, an IP address will be blocked if it tries to make 15 TCP connections for over 30 seconds without disconnecting the connections. In our tests, the slow HTTP attacks can be successfully ceased.