Low and slow attacks, unlike floods, do not require a large amount of traffic. Low and slow attacks mostly target application resources and sometimes server resources. By nature, they are difficult to detect because they involve connections and data transfers that appear to occur at normal rates, making it challenging to implement web application security and DDoS attack mitigation strategies.
Sockstress attacks are a common type of low and slow DDoS attack.
Sockstress is an attack tool that exploits vulnerabilities in the TCP stack, allowing an attacker to create a denial of service condition for a target server. In a normal TCP three-way handshake, a client sends a SYN packet to the server, the server responds with a SYN-ACK packet, and the client responds with an ACK, establishing a connection. Sockstress establishes a normal TCP connection with the target server but sends a "window size 0" packet to the server inside the last ACK. The TCP window is a buffer that stores received data before uploading it to the application layer. Window size set to zero means that the window size is 0 bytes. This setting tells the sender to stop sending more data until further notice.
In this case, the server continually sends probe packets to the client to see when it can accept new information, but the connection remains open indefinitely because the attacker does not change the window size. By opening many of these connections, the attacker consumes all of the space in the server's TCP connection table and other tables, preventing legitimate users from establishing a connection. Alternately, the attacker may open many connections with very small - around 4-byte - window sizes. Doing so forces the server to break information into massive numbers of tiny chunks, which consumes a server's available memory and causes a denial of service.
Protecting Against Low and Slow DDoS Attacks
Low and slow attacks can target server and application resources. For example, they can target specific design flaws or vulnerabilities on a target server with a relatively small amount of malicious traffic, eventually causing it to crash. As a result, these serious attacks require sophisticated DDoS mitigation and DDoS protection solutions.