R.U.D.Y is a slow rate attack tool that (like Slowloris and SOCKSTRESS) is able to exploit design weakness, and with a surprisingly low rate flood can cause DoS. R.U.D.Y can potentially target any web server. It implements a new technique to attack websites known as a slow HTTP POST request (published in Nov 2010). It runs with an interactive console menu, automatically detecting forms within a given URL, and allowing the user to choose which forms and form fields are desirable to use for the POST attack.
The tool sends the HTTP POST request, but instead of sending the entire request in single packet, it sends the data part byte-by-byte. Each byte is sent in its own packet at intervals of 10 seconds in order to exhaust the server’s resources. Waiting for HTTP headers to complete sending is a basic and inherent behavior of web servers. Servers must “obey” the rules of the “content–length” field and wait for the complete message body to be sent. This behavior allows web servers to support users with slow or intermittent connections. The server keeps the connection open, which allows the attacker to open numerous connections in parallel until the connection limitation is reached on the web server and DoS happens. Any website that has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks.
The tool is very efficient because it takes fewer connections to reach the server’s resource limits making it highly damaging and this is why it deserves the name of a slow rate attack. It can deny service regardless of the hardware capabilities of the host. However, since the attacks are accomplished by sending one one-byteof-data packets, it can be detected as abnormal traffic.