We were made aware of a potential Slowloris attack vulnerability for our Netlify site. Slowloris is a denial-of-service attack program which allows an attacker to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target. Is there anything we can do to prevent this?
Proof of concept:
Steps to reproduce :- ( Use kali linux OS)
1)Open terminal and enter command
git clone https://github.com/llaera/slowloris.pl.git
- It will download the slowloris.pl folder on home
- Go to that folder and open this folder in terminal
- then Enter commandperl slowloris.pl -dns
- Wait to complete
- It will lower your site’s accessibility.
That is a private repo that cannot be cloned without access. Also, the steps above do not include instructions to point that software at a Netlify sites. Finally, you are not permitted to be doing security testing at Netlify unless you have an Enterprise team or you are using the HackerOne reporting program. Neither of those is true from what I can see here.
That all said, if you have a real world example of this being used against Netlify, please provide that information and we’ll take a look.
For some further context, this was reported to my team from our own bug bounty program by a whitehat hacker. It was reported on July 11, in which you can see a spike in page views despite not a substantial increase in number of users. I believe this was a demonstration by the whitehat of the vulnerability. In general, is there any rate limiting we can implement for our Netlify site?
Netlify already has rate-limits in place: Hasura Instance is Blocked by Netlify
Your “attacker’s” threshold was probably so small that we did not bother limiting it. But you can use Edge Functions to setup your own rate-limits.