In subsequent blogs, we talked about Slow header and slow-Post attacks respectively in detail
- (/ blogs / 2011/09/20 / slow-header-attack-put-down-to-many sites recently-% E2% 80% 93 know how to protect - -against-the-attack-using NetScaler /)
- (/ blogs / 2011/09/23 / slow post-attack-affects-application-around-the-world-% E2% 80% 93 - is-how-protection-against-the-attacks using NetScaler /)
now, this blog target Slow Read attack. Slow Slow header and Post-attack works by displaying the application at a very slow speed. However, the Slow Reading attack targets in reading a response from the server at a very slow speed.
During a Slow Read attack, a client establishes a connection to the server and sends an appropriate HTTP request, however, the client reads the answer to a very slow speed. Read some slow clients of attack do not read the answer to all for a long time, then starts reading the data one byte at a time just before the idle connection timeout. Customers send a zero window the server that makes the server to assume that the customer is reading the data. Accordingly, the server keeps the connection open for a long period of time. These multiple connections to the server will consume server resources and can make the server stops responding to new real demands. The following trace shows an example of the attack in which the client sends the request and keep the zero send window to the server to keep the connection open without reading the data.
The NetScaler appliance has an integrated protection mechanism against the attack. A reading slow attack client reads a response from the server at a slow speed by advertising a small or zero window. If a malicious client sends a TCP segment with the value of the window below 1 MSS and if it is inactive for predefined set time, NetScaler has the intelligence to identify such connections and silently drop in the protective mechanism against attacks. This function NetScaler protection is activated when a large number of connections in a small window state accumulated. For attack scenarios where the number of connections is less malicious connections are reported as zombies and purged using zombie cleaning function after customer timeout is reached.
The protective function NetScaler work in this case and thwart the attack. However, you must note that in cases where a malicious client sends a window of one or more MSS and reads the response data at a very slow speed, it will be treated as a legitimate customer. NetScaler can be configured to drop these packets also in the protection mechanism against attacks.
These protections are enabled by default in NetScaler.
0 Komentar