What is a slow read attack?

A slow read attack is a DDoS attack that exploits the target by reading its responses very slowly.

How do slow read attacks work

A slow read attack works by advertising a very low client receive buffer size, triggering a significant response from the server, and taking up a lot of time to read a single response.

This prevents the server from incurring an idle connection timeoutIdle timeout is the maximum length of time for which a connection can stay alive.. The server assumes the client is reading the data and keeping the connection open. This results in the server consuming its resources and preventing valid requests from going through. When multiple such connections are created concurrently, it can consume all the resources of the target and lead to DoS.

Why are slow read attacks dangerous?

Slow read attacks can be dangerous because of the following reasons:

They require very little bandwidth, so their traffic is difficult to distinguish from normal traffic.
Slow read attacks can go undetected for long time intervals and slow the service for real users.
They do not require many resources and can be launched using a single computer. This makes them very easy to launch and difficult to mitigate.

Detection

A slow read DDoS attack will keep the connection open for a long time. If the attacker uses a botnetA network of interconnected devices., they can fill up the connection tables, preventing the valid users from accessing the target server.

We can detect the slow read attack if we observe that the server has many connections, but very little traffic is received or sent.

Mitigation

Slow read attacks are brutal to mitigate. However following methods can be adopted to mitigate the attack:

The server capacity can be upgraded. More connections on the server make an attack less likely to overwhelm the server.
Reverse-proxy-based protection can be used to intercept the attack before it reaches the server.

An absolute connection timeout can be set based on the median connections from valid clients.
A minimum incoming data rate should be established, and the connections that are slower than that rate should be dropped.
An event-driven software load balancer, hardware load balancers, and intrusion prevention systems can be used to drop the connections that match suspicious behavior patterns.

Unlock your potential: DDoS attacks series, all in one place!

If you've missed any part of the series, you can always go back and check out the previous Answers:

What is a Distributed Denial-of-Service (DDoS) attack?
Understand the basics of DDoS attacks and their impact on online services.
What is a SYN flood DDoS attack?
Learn about the SYN flood, a type of DDoS attack that overwhelms servers with excessive requests.
What is an HTTP flood attack?
Explore how HTTP flood attacks use web traffic to target and disrupt websites.
What is a slow read attack?
Dive into the mechanics of slow read attacks and how they impact web servers.

Free Resources