Assesses servers for Slowloris and Slow POST vulnerability. Security company Qualys is offering a tool admins can use to work out how vulnerable their servers might be to simple but often hard-to-detect a types of DDoS attack that exploit vulnerabilities in the design of HTTP.The work of engineer Sergey Shekyan, QualysGuard Web Application Scanner (WAS) can be used to detect vulnerability to one of two possible slow HTTP attacks, ‘Slowloris’ and Slow POST detection; the first opens a connection but delays completion and can be exploited using a circulating tool, while the second involves manipulating the content length header.Both can slow attacked servers down to a crawl or even a stop.Despite being fairly simple to pull off, these techniques are believed to have been behind some of the attacks carried out in recent times by groups such as LulzSec, notably one on the CIA in June. Earlier in the year, slow HTTP was also used to attack Wikileaks. An unknown number of servers could be configured in a way that might allow these attacks to succeed but quickly assessing vulnerability can be difficult without causing the server in question some difficulty. WAS allows this to be done without taking the server down.“These types of attack are easy to execute because a single machine is able to establish thousands of connections to a server and generate thousands of unfinished HTTP requests in a very short period of time using minimal bandwidth,” writes Shekyan. One thing WAS does not do is to mitigate the attacks which will vary from server platform to platform. On Apache, the first line of defence is to set up IPtables to disallow large numbers of requests from one IP address but this is still only one of a number of possible avenues. Defending against these types of DDoS can still be difficult. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe