1
00:00:00,620 --> 00:00:02,000
Low and slow attack.

2
00:00:03,420 --> 00:00:10,470
Now, what is low and slow attack, the low and slow attack is a type of device or device attack that

3
00:00:10,470 --> 00:00:16,190
relies on a small stream of very slow strophic, try targeting application or server resources.

4
00:00:16,650 --> 00:00:22,320
So unlike more traditional brute force attacks, low and slow attacks require a very little bandwidth

5
00:00:23,040 --> 00:00:26,270
and can be hard to mitigate as they generate the traffic.

6
00:00:26,280 --> 00:00:29,280
That is very difficult to distinguish from normal traffic.

7
00:00:30,140 --> 00:00:38,180
So what large scale attacks are likely to be not quickly low and slow attacks can go on undetected for

8
00:00:38,180 --> 00:00:43,430
a long period of time, all while denying or slowing service to users.

9
00:00:45,420 --> 00:00:53,040
So how this low until attack walks the slow loris to connect to a server and then slowly since partial

10
00:00:53,220 --> 00:00:59,850
A.E hit us, this causes the server to keep the connection open so that it can receive the rest of the

11
00:00:59,850 --> 00:01:02,070
headers tying up the three.

12
00:01:03,090 --> 00:01:05,980
Another tool called Rudie or are you dead yet?

13
00:01:06,000 --> 00:01:11,130
And actually, we saw it in the show when aliens say, Oh, that's awesome.

14
00:01:11,280 --> 00:01:17,700
So this is tools actually used to generate HDB request to fill out form feeds.

15
00:01:17,850 --> 00:01:23,600
It tells the servers how much data to expect, but then sends that data in a very slowly.

16
00:01:23,790 --> 00:01:28,700
So the server keeps the connection open because it is anticipating more data.

17
00:01:29,280 --> 00:01:37,320
Yet another type of low and slow attack is that suck stress attack suck stress attack, which exploit

18
00:01:37,320 --> 00:01:42,650
a vulnerability in the TCP IP three way handshake, creating an indefinite connection.

19
00:01:44,210 --> 00:01:52,190
So how do you get low and slow death rate detection techniques used to identify and stop additional

20
00:01:52,190 --> 00:01:57,830
deadly attacks will not pick up on a low and slow death since they are looked like normal traffic.

21
00:01:58,400 --> 00:02:06,080
So the best shot at detecting them is careful monitoring and looking of possible resource usage, combined

22
00:02:06,080 --> 00:02:13,070
with behavioral analysis, combat traffic and user behavior during normal times to traffic and user

23
00:02:13,160 --> 00:02:15,680
behavior during the potential attack period.

24
00:02:16,490 --> 00:02:23,570
So if servers are performing slowly or crushing and I know and slow attack is suspected, one sign of

25
00:02:23,570 --> 00:02:28,630
such an attack is that normal user processes take much longer.

26
00:02:29,000 --> 00:02:36,680
And if I use an action such as filling out a form typically takes a few seconds, but is instead taking

27
00:02:36,680 --> 00:02:41,130
minutes or an hour ago by far more terrible resources than normal.

28
00:02:41,300 --> 00:02:41,720
I know.

29
00:02:41,720 --> 00:02:43,670
And slow attack may be the cause.

30
00:02:44,560 --> 00:02:50,830
So how does low and slow attack actually one way to mitigate the low and slow attack is to upgrade your

31
00:02:50,830 --> 00:02:51,910
server availability.

32
00:02:52,150 --> 00:02:57,220
The more connections you have several simultaneous Lemington, the more difficult it would be an attack

33
00:02:57,220 --> 00:02:58,520
to clog your server.

34
00:02:59,020 --> 00:03:04,090
The problem with this approach is that an attack like an attempt to scale their attack, to meet your

35
00:03:04,090 --> 00:03:05,170
servers availability.

36
00:03:06,050 --> 00:03:12,260
And another solution is a reverse proxy based prediction, which will mitigate low and slow attacks

37
00:03:12,410 --> 00:03:14,240
before they ever reach your origin.