In the following blogs we discussed about Slow-Header and Slow-Post attacks, respectively in detail

Now this blog targets Slow-Read attack. Slow-Header and Slow-Post attack works by posting the request at a very slow speed. However, the Slow-Read  attack targets at reading a response from server at a very slow speed.

When making a Slow-Read attack, a client establishes a connection to the Server and sends an appropriate HTTP request, However, the client reads the response at a very slow speed. Some Slow-Read attack clients don’t read the response at all for long time and then starts reading data one byte at a time just before the idle connection timeout. The clients sends a Zero window to the server which makes the Server to assume that the client is busy reading the data. As a result, the server to keeps the connection opened for long period of time. Such multiple connections to the Server will consume the resources of the server and can make the server unresponsive to the new and genuine requests. The following trace shows one example of the attack where the client sends the request and keep sending Zero window to the Server in order to keep the connection open without reading any data.

The NetScaler appliance has a built-in protection mechanism against this attack. A slow-read attack client reads a server response at a slow speed  by advertising a small or zero window. If a malicious client sends a TCP segment with window value less than 1 MSS and if it is idle for predefined set of time, NetScaler has intelligence to identify such connections and silently drop them as part of attack protection mechanism. This NetScaler protection feature is activated when large numbers of connections in small-window condition are accumulated. For attack scenarios where the number of connections is less, the malicious connections are flagged as zombies and purged by using the zombie cleanup feature after client idle timeout is reached.

The NetScaler protection feature works in this case and thwarts the attack. However, you must note that in cases where a malicious client sends a window of 1 MSS or greater and reads the response data at a very slow speed, it will be treated as a legitimate client. NetScaler can be configured to drop such packets also as part of attack protection mechanism.

All these protections are enabled by default in NetScaler.