23. June 2009 23:20
There has been some animation over the web about a “new” HTTP DoS.
Unfortunately I don’t have access right now to an ISA Server 2006 acting as a reverse proxy(publishing a web server with ISA) to run Robert Hansen’s Slowloris tool against it.
I don’t want to “abuse” on others ISA’s without permission(maybe another time we will have a little bit of “fun” with ISA’s web proxy and just plain TCP, more “efficient” and “silent” that Slowloris), so I’ve ran it briefly against TMG Beta 3(installed on Windows Server 2008 SE SP2) which was publishing a web server(acting as a reverse proxy).
What was noticed:
First thing: when you try to open too many concurrent TCP connections from a host, the Flood Mitigation settings will kick in(these settings are present on ISA Server 2006 too, as can be see from the linked document).
Second thing: the “crafty” HTTP requests from Slowloris(either GET or POST requests) will only be between TMG Beta 3 and the “attacking” host(s) and they will not be forwarded to the published web server(the internal web server), more exactly TMG Beta 3 will not initiate any TCP connections to the published web server(the internal web server), web server which will be unaware of what happens in front of it. And TMG Beta 3 will continue to serve normally the rest of the clients.
ISA Server 2006 should behave in a similar fashion. You may like to read this article written by Jim Harrison.
To make it more “interesting” I've modified little bit the flood mitigations settings to not block me(in order to not need to use multiple machines).
And ran the tool against TMG Beta 3 acting as a reverse proxy for the published web server, varying between 1000-2000 sockets from a host(timeout 10 seconds, 30 seconds etc.) and things appeared to be fine.
No connection was opened with the backend web server, web server which was unaware of what happened in front of it. And TMG Beta 3 continued to serve normally the rest of the clients.