In OWASP 2010, Wong Onn Chee and Tom Brennan demonstrated an attack similar to Slowloris, which is called HTTP POST DOS.
This specifies a very large content-length value when sending the HTTP POST packet, sending it at a very low speed, such as one byte in between 10 ~ 100 s to maintain the connection. So when the number of client connections increases, all the available connections of the web server will be occupied, resulting in DOS.
The successful implementation of the attack will leave the following error log (Apache):
$tail -f /var/log/apache2/error.log [Mon Nov 22 15:23:17 2010] [notice] Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured — resuming normal operations [Mon Nov 22 15:24:46 2010] [error] server reached MaxClients setting, consider raising the MaxClients setting
The nature of the attack is also against the MaxClients restriction of Apache. To solve this problem, you can use a web application firewall or a custom web server security module.
From the last two examples, we think that where resources are restricted, there is a misuse of resources, resulting in a DoS, which is a kind of resource exhaustion attack. Because of the restriction of availability and physical conditions, memory, processes, storage space, and other resources cannot increase infinitely. If we do not restrict the quota for untrusted resource users, it may cause a DoS. The memory leak is a bug that programmers often need to solve, but in the security field, the memory leak is considered to be a way of causing the DoS attack.
