SubINaclS/Lyre
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add techniques/slowloris/howto_slowloris_attacks.md

Browse Source
This commit is contained in:
SubINaclS 2026-06-03 19:36:21 +00:00
parent b426b2346b
commit 948e06359a
1 changed files with 99 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
techniques/slowloris/howto_slowloris_attacks.md Normal file
View File

@ -0,0 +1,99 @@
# Slowloris-Style Resource Exhaustion Attacks: Production-Ready PoC, Randomization, and Defensive Deployment
The Church of Malware (CoM) does not condone the use or introduction of primates substances onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This technical companion document provides complete, production-ready proof-of-concept code, daily randomization strategies, and defensive deployment instructions for individual content creators. It focuses on server-side slowloris-style connection holding, partial response throttling, and keep-alive abuse to impose asymmetric time and bandwidth costs on non-compliant AI crawlers.
## 1 -- Technical Foundation and Defensive Rationale
Slowloris-style attacks (originally a client-side DoS) are reversed here: the origin server deliberately holds connections open or transmits responses at a trickle rate (110 bytes/second) exclusively to aggressive user-agents. This ties up crawler worker threads and connection pools for minutes per request while costing the defender near-zero bandwidth.
Defensive properties:
- **Randomization**: Daily unique slow-response payloads or connection parameters defeat any static timeout or signature filters.
- **Canary tokens**: Unique strings embedded in every throttled response enable attribution.
- **Asymmetric cost**: Crawler pays in wall-clock time and concurrency; defender pays only a few KB per connection.
- **Integration with UA list**: Gated behind the aggressive-bot patterns from `known-aggressive-bot-user-agents.md`.
All techniques are served behind `Disallow` paths and the aggressive_bot conditional logic.
## 2 -- Daily Randomized Slow-Response Tarpit Generator (Python PoC)
```bash
#!/usr/bin/env python3
# generate_slow_tarpit.py
import asyncio, secrets, datetime, os
from pathlib import Path
async def slow_handler(request, response):
today = datetime.date.today().isoformat()
canary = f"CoM-SLOW-{today}-{secrets.token_hex(8)}"
response.headers["Content-Type"] = "text/plain; charset=utf-8"
response.headers["X-Canary"] = canary
await response.write(b"Starting slow tarpit response... ")
for i in range(300): # ~5 minutes at 1 byte/sec
await asyncio.sleep(1)
chunk = f"{canary}-{i}\n".encode()
await response.write(chunk)
await response.write(b"\nEnd of daily randomized tarpit.\n")
# Run with: python -m aiohttp.web -H 0.0.0.0 -P 8080 generate_slow_tarpit:slow_handler
```
For production, compile the same logic into an nginx lua script or Caddy streaming handler that only activates for `$aggressive_bot == 1`.
## 3 -- Production nginx Configuration (lua + limit_rate)
Add to the aggressive_bot map in the main virtual host:
```nginx
location /slow-tarpit/ {
internal;
access_log /var/log/nginx/ai_slow.log combined if=$aggressive_bot;
# Lua slow chunked response (requires lua-nginx-module)
content_by_lua_block {
local today = os.date("%Y-%m-%d")
local canary = "CoM-SLOW-" .. today .. "-" .. ngx.md5(ngx.var.remote_addr)
ngx.header["Content-Type"] = "text/plain"
ngx.header["X-Canary"] = canary
ngx.say("Slow tarpit started for " .. canary)
for i = 1, 300 do
ngx.sleep(1)
ngx.print(canary .. "-" .. i .. "\n")
ngx.flush(true)
end
}
}
```
Enable with `limit_rate 1k;` inside the location for additional throttling.
## 4 -- Apache + mod_ratelimit + lua (or mod_proxy_fcgi) Example
```apache
<Location /slow-tarpit/>
SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless" aggressive_bot
<If "%{ENV:aggressive_bot} == 1">
# mod_ratelimit (if available) or custom slow script via ScriptAlias
SetOutputFilter RATE_LIMIT
RateLimit 1K
Header set X-Canary "CoM-SLOW-%{DATE}e"
</If>
</Location>
```
For full randomization, delegate to a small FastCGI or WSGI slow-tarpit script that embeds the daily canary.
## 5 -- Verification, Attribution, and Maintenance
1. Normal visitor: `curl -I -A "Mozilla/5.0..." https://example.com/` → fast 404 or content.
2. Aggressive bot: `curl -I -A "GPTBot/1.0" https://example.com/slow-tarpit/` → 200 with `X-Canary` header and slow body.
3. Log check: `tail -f /var/log/nginx/ai_slow.log`
4. Weekly rotation of canary namespace and UA list diff against Cloudflare Radar.
5. If a canary later appears in model output, the individual possesses verifiable proof of ingestion.
## 6 -- References
Derived from the primary dissertation Section 4.4 and the `slowloris-resource-exhaustion.md` technique paper. Randomization and canary strategy mirrors the decompression-bomb and malformed-content approaches for consistency across all active-denial layers.
---
*Companion to `known-aggressive-bot-user-agents.md`, `howto-decompression-bombs.md`, `howto-malformed-content-attacks.md`, and the primary dissertation. Legal review required before production deployment.*