Slowloris

LTM on its own (and ASM standalone) can protect against the slow header attack as a VIP with an HTTP profile buffers the HTTP request headers before opening a new or using an existing serverside TCP connection. ASM provides an even higher level of protection in that it buffers the HTTP headers and payload before sending the request to the servers.

 

 

As far as I'm aware, Imperva (at least in a transparent bridge mode), cannot provide full protection against the attack. They do not buffer the request headers, so the best they can do is send a TCP reset to the server if/once they detect the symptoms of an attack (for example, more than X number of headers sent in a request). The TCP connection would already be established to the server though. I don't know whether they can handle it better in reverse proxy mode--though considering they recommend the reverse proxy configuration only in a small percentage of implementations it might be a moot point.

 

 

I'm not sure about the other major WAFs on the market. I'd expect most reverse proxy load balancers and reverse proxy WAFs could be configured to protect against this type of attack.

 

 

Does anyone else have corrections/additions to this?

 

 

Aaron