I was wondering if anyone has set anything up in Bro to monitor their web servers for this style of attack. They recommend or caution against the use of IPS’ for blocking this attack as the false positive rate can be fairly high for users with on a slow connection. Being that Bro can monitor and maintain the state of a connection for a long time, I imagine it would be perfect for this. Looking for lengthy connections with abnormally small header request sizes sounds like it might be the best way to detect these. Of course, there are likely outliers, but I imagine legitimate use could be identified and whitelisted fairly easily.
I've been working on this for a little while already, but I'm still expanding it to work against some of the newer attacks like the one that takes advantage of TCP window sizes to execute a slow read attack. The script still kind of sucks and has false positives in a few cases (and I'm sure false negatives as well), but I'm slowly working on getting those ironed out.
If you'd like a copy of my script to try, let me know and I can get it over to you.
It currently detects the slow body and slow headers attacks from the slowhttptest tool. It doesn't detect range attacks yet, but that should be easy to add. We may be able to make it detect slow read attacks with 2.1 once we get the new tcp stats analyzer integrated since that's not even technically an HTTP attack (it's a tcp attack).
I know that it currently has some false positives and generally isn't written very well. If anyone encounters any false positives, please let me know. I'd like to understand all of cases where false positives happen.
