A new Zero-Day attack is out available for attackers. this attack was discussed in the SANS website Internet Storm Center: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/
SMBLoris – the new SMB flaw
The article was written from reviewing a Threatpost article, but was ultimately triggered because of the DEFCon 2017 presentation:
Notice the arrows on right with memory usage on a webserver going close to 100%.
What makes this attack (DOS – Denial Of Service) so bad is that it is easily disguised as ‘SlowLoris’ as sending partial HTTP requests to webservers (i.e. not fully connecting to the webserver). This partial connection essentially slows the webserver to a crawl when requesting enough connections. And since this is a standard request, it is hard to distinguish friend from foe.
This is an interesting point from the archive.org webpage:
“Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.”
So this is not a simple easy to see issue. This issue abuses the way the webserver operates for the following 4 applications:
- Apache 1.x
- Apache 2.x
- dhttpd
- GoAhead WebServer
slowloris is just one variant and as hackers review this attack… variants may get created and thus exploit this in yet unknown ways. As of this posting there is no CERT classification yet.
What do I mean about the basics? Well, if you have a webserver it should not have port 445 open to the public:
Port 445 is a SMB port, or Structured Message Block which is used in NETBIOS protocols usually in file sharing applications. Well, one should not have a webserver with port 445 open and available on the Internet.
So, if you have done the basics, i.e. not run 445 or other ports that are unnecessary than this attack will likely not affect you or at least minimally affect you. If you had to keep everything open, it might be time to run a firewall port limiter device in front of your website. This is a fluid issue at this time, so keep an eye out for new attacks.. Contact Us to discuss.
Remember the hacker takes advantage of poor configurations.
Contact Us to discuss auditing your environment and review the basics in IT security.