How to Detect and Mitigate Slowloris DDoS Attacks Using iptables and Log Analysis


3 views

Slowloris operates by maintaining multiple partial HTTP connections to the target server. Unlike traditional DDoS attacks that flood bandwidth, Slowloris exhausts server resources by keeping connections open as long as possible. Typical indicators include:

- Abnormally high number of connections in WAIT state
- Server becoming unresponsive while network bandwidth appears normal  
- Multiple incomplete HTTP requests in logs

Here's how to monitor active connections using netstat:

netstat -n | grep ':80 ' | awk '{print $6}' | sort | uniq -c | sort -n

Look for these red flags:

- Multiple connections in FIN_WAIT or CLOSE_WAIT states
- Single IP addresses with unusually high connection counts
- Connections remaining open for extended periods

Your connection limiting approach is correct. Here's an enhanced ruleset:

# Limit concurrent connections per IP
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit \
    --connlimit-above 50 -j REJECT --reject-with tcp-reset

# Slow connection protection
iptables -A INPUT -p tcp --dport 80 -m connbytes \
    --connbytes 0:1024 --connbytes-dir both --connbytes-mode bytes \
    -m state --state ESTABLISHED -m recent --set
iptables -A INPUT -p tcp --dport 80 -m connbytes \
    --connbytes 0:1024 --connbytes-dir both --connbytes-mode bytes \
    -m state --state ESTABLISHED -m recent --update \
    --seconds 60 --hitcount 10 -j DROP

To identify attacker IPs from Apache/nginx logs:

# Apache slow request detection
cat access.log | awk '$7 ~ /^\/$/ && $9 == 200 {print $1}' | \
    sort | uniq -c | sort -nr | head -20

# Nginx incomplete requests
grep -i "request body is buffered" error.log | \
    awk '{print $1}' | sort | uniq -c | sort -nr

Here's a Python script to monitor suspicious activity:

import subprocess
from collections import defaultdict

def check_slowloris(threshold=50):
    netstat = subprocess.Popen(['netstat', '-tn'], stdout=subprocess.PIPE)
    output = netstat.communicate()[0].decode('utf-8')
    
    ip_counts = defaultdict(int)
    for line in output.split('\n'):
        if ':80 ' in line and 'ESTABLISHED' in line:
            ip = line.split()[4].split(':')[0]
            ip_counts[ip] += 1
    
    return [ip for ip, count in ip_counts.items() if count > threshold]

if __name__ == '__main__':
    suspects = check_slowloris()
    if suspects:
        print(f"Potential Slowloris attack from: {', '.join(suspects)}")

When submitting evidence to an ISP, include:

1. Timestamped logs showing incomplete requests
2. Connection pattern analysis
3. Your mitigation attempts
4. Impact documentation
5. Relevant packet captures (if available)

Most ISPs have abuse@ or security@ contacts. For US providers, include ARIN references:

whois -h whois.arin.net "n + " | grep AbuseContact

A Slowloris attack operates by maintaining multiple partial HTTP connections to a web server, keeping them open as long as possible to exhaust connection pools. Unlike volumetric attacks, Slowloris is particularly stealthy because it uses minimal bandwidth.

Look for these telltale signs in your server logs:

  • Abnormally high number of connections in WAIT state (check via netstat -ant | grep WAIT | wc -l)
  • Incomplete HTTP requests (headers without termination)
  • Requests with unusually slow transfer rates
  • Connection timeouts exceeding normal thresholds

Use this awk command to parse Apache logs for suspicious connections:

awk '{if ($9 == 408 || $9 == 500) print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr

For Nginx, try this more sophisticated analysis:

cat /var/log/nginx/access.log | awk '$7 ~ /[^ ]*[^ ]$/ {print $1}' | sort | uniq -c | sort -nr | head -20

Capture and analyze suspicious traffic patterns:

tcpdump -i eth0 -nn 'tcp[13] & 2!=0' and dst port 80 -w suspect_syn.pcap
tcpdump -nn -r suspect_syn.pcap | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -n

Implement these protective measures:

# Limit concurrent connections per IP
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j REJECT

# Slow down incoming HTTP requests
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT

# Drop slowloris-like connections
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP

Create a bash script to monitor suspicious activity:

#!/bin/bash
THRESHOLD=50
CON_COUNT=$(netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n1 | awk '{print $1}')

if [ "$CON_COUNT" -gt "$THRESHOLD" ]; then
    echo "$(date) - Possible Slowloris attack detected (Threshold: $THRESHOLD, Current: $CON_COUNT)" >> /var/log/ddos.log
    SUSPECT_IP=$(netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n1 | awk '{print $2}')
    echo "Suspicious IP: $SUSPECT_IP" >> /var/log/ddos.log
fi

When compiling evidence for ISP abuse reports, include:

  • Full TCPDump captures during attack periods
  • Timestamps of abnormal activity
  • Pattern analysis showing repeated connection attempts
  • Impact metrics (downtime, service degradation)