Ron Winward

Little known fact - I had been thinking about Slowloris for about 10 years before I finally actually sat down to write it. In the early 90's I had encountered a situation where Apache would die when people would do what I used to call "half-open" attacks where they'd see if they got the first packet (200 or 401) and then close the socket without seeing the rest of the result or sending RST or FIN packets causing Apache to be confused and hang, patiently waiting to finish it's response. Our interprocess communication would lock - something related to dead semaphores, and the whole system would halt and no longer deliver HTTP responses. Every day at around 5PM Japan time, some kid would come home from school and attack us trying to break in. It was annoying, and it never really had a chance of working but it did break our website and cause my phone to start alerting due to the outage... every... single... night... at... 1am. Grr. The solution at the time was simply to block the attackers and build a self-healing solution that would reboot Apache when we detected those hung IPC semaphores. Fairly ugly solution but it worked and was pretty cutting edge for it being the 90's. I also got my first Blackhat talk out of it with subsequent solutions we came up with to hide the responses requiring full HTTP responses to be analyzed before they could close the socket. The talk was "Military Hardening of .htaccess" and was exclusively attended by Chinese speakers and like 3 of my friends - I was speaking opposite Mitnick, I think, so the room was virtually empty. I was also extremely, mind-bendingly, hung-over. I ended up throwing up right before going on stage, like under a minute before, and my head was spinning through the whole talk. The Chinese audience members had a translator and it was making me sick to hear my own translation and I was already having a hard time keeping it together. I cannot believe Blackhat ever gave me a second chance after that mess. Friendly note kids - don't go full Vegas the night before your preso. As you might imagine, after that I was pretty much totally done with the whole idea so I sat on the idea of Slowloris for a decade. Yes, a really really bad hang-over made me uninterested in developing a denial of service tool. It literally made me a little nauseous to think about it. I digress... But it got me thinking that there would be a way to do something similar as an intentionally malicious attack rather than just efficient brute forcing. The way to do that would be to send the packet with the first half of the HTTP headers and then just keep the socket open, never finishing the request. I do wonder how many other exploits are out there where people are sitting on it forever just because they haven't gotten around to writing it yet.