Attack Technique | Description | FortiWeb Solution |
Botnet | Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Well-known examples include LOIC, HOIC, and Zeus. | |
Low-rate DoS | Exploits TCP’s retransmission time-out (RTO) by sending short-duration, high-volume bursts repeated periodically at slower RTO time-scales. This causes a TCP flow to repeatedly enter a RTO state and significantly reduces TCP throughput. | • TCP Connection Number Limit (TCP flood prevention) • HTTP Request Limit/sec (HTTP flood prevention) • TCP Connection Number Limit (malicious IP prevention) |
Slow POST attack | Sends multiple HTTP POST requests with a legitimate Content-Length: field. This tells the web server how much data to expect. Each POST message body is then transmitted at an unusually slow speed to keep the connection from timing out, and thereby consuming sockets. | |
Slowloris | Slowly but steadily consumes all available sockets by sending partial HTTP requests sent at regular intervals. Each HTTP header is never finished by a new line (/r/n) according to the specification, and therefore the server waits for the client to finish, keeping its socket open. This slowly consumes all sockets on a web server without a noticeable spike on new TCP/IP connections or bandwidth. Not all web servers are vulnerable, and susceptibility can vary by configuration. Default Apache configurations may be more vulnerable than a server like nginx that is designed for high concurrency. | Real Browser Enforcement |
SYN flood | Sends a stream of TCP SYN packets. The target server acknowledges each SYN and waits for a response (ACK). Rather than respond, the attacker sends more SYN packets, leaving each connection half-open, not fully formed, so that it may not register on systems that only monitor fully formed connections. Since each half-formed connection requires RAM to remember this state while awaiting buildup/tear-down, many SYN signals eventually consume available RAM or sockets. |