I have written this article in collaboration with Krishna Bhandarge
Background
Slowloris is a type of denial of service (DoS) attack which exploits the application‑layer (HTTP) connection handling weaknesses. The Slowloris is a technique of capitalizing on how web servers keep open partial HTTP requests.
A web server allocates a thread for each incoming request. Slowloris opens a connection to the target web server and sends partial HTTP headers. Slowloris holds the connection open as long as possible by sending subsequent HTTP headers, adding to, but never completing the request. By holding many such connections, Slowloris attempts to exhaust the server's thread / connection pool. If the affected server keeps the connections open, the maximum concurrent connection pool would get filled completely, eventually denying additional connection attempts from the web clients.
Can the Slowloris attack concept be used to exploit the layer 3 network protocols? Can the Slowloris attack concept be used to exploit a Network interface controller (NIC)?
A Network interface controller (NIC) operates at Layer 1 (physical layer) and Layer 2 (data link layer). Slowloris relies entirely on connection handling weaknesses. Layer 1, layer 2 and layer 3 devices, including NICs, do not maintain a per‑connection state. Hence, this attack pattern is impossible at Layer 2 and layer 3.
Layer 3 DoS attacks are possible, but they are different from the Slowloris concept. They are :
- ICMP floods
- Fragmentation floods
- IP packet storms
- Malformed IP packet attacks
These attacks attempt to saturate:
- NIC Rx queues (ring buffers)
- Host CPU network stack processing
- PCIe bandwidth
- Device driver's interrupt-handling capacity
None of these attacks resemble the Slowloris pattern because:
- They do not use partial requests
- They do not require keeping connections open
- They do not exploit HTTP behavior
If a Slowloris attack is happening on a web server, the web server's NIC has no way to detect the attack. The NIC can not provide any protection. Here is why.
A Network interface controller (NIC) does not do layer 7 filtering. A NIC typically provides :
- hardware offloads for TCP
- virtualization support (SR-IOV)
- traffic shaping / QoS
- RDMA (RoCE/iWARP) capabilities
But none of these features prevent Slowloris, because Slowloris is not a bandwidth or packet-rate attack. Slowloris is a protocol resource exhaustion attack.
However, SmartNICs and DPUs are the exception. Some vendors (NVIDIA BlueField, Intel IPU, AMD Pensando) manufacture SmartNICs or Data Processing Units which can offload Layer 7 logic.
On a side note, here are some ways to prevent a Slowloris attack on a web server. Layer 7 filtering is typically performed by firewalls, proxies, DPI engines, or service meshes.
Mitigations for Slowloris attack are :
- SYN cookies / TCP stack hardening
- connection rate-limiting via OS firewall
- load balancers or reverse proxies (nginx, Varnish)
