From 948e06359a7e0d0f02a36762e3ca548e0874588c Mon Sep 17 00:00:00 2001 From: SubINaclS Date: Wed, 3 Jun 2026 19:36:21 +0000 Subject: [PATCH] Add techniques/slowloris/howto_slowloris_attacks.md --- .../slowloris/howto_slowloris_attacks.md | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 techniques/slowloris/howto_slowloris_attacks.md diff --git a/techniques/slowloris/howto_slowloris_attacks.md b/techniques/slowloris/howto_slowloris_attacks.md new file mode 100644 index 0000000..74fb331 --- /dev/null +++ b/techniques/slowloris/howto_slowloris_attacks.md @@ -0,0 +1,99 @@ +# Slowloris-Style Resource Exhaustion Attacks: Production-Ready PoC, Randomization, and Defensive Deployment + +The Church of Malware (CoM) does not condone the use or introduction of primates substances onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This technical companion document provides complete, production-ready proof-of-concept code, daily randomization strategies, and defensive deployment instructions for individual content creators. It focuses on server-side slowloris-style connection holding, partial response throttling, and keep-alive abuse to impose asymmetric time and bandwidth costs on non-compliant AI crawlers. + +## 1 -- Technical Foundation and Defensive Rationale + +Slowloris-style attacks (originally a client-side DoS) are reversed here: the origin server deliberately holds connections open or transmits responses at a trickle rate (1–10 bytes/second) exclusively to aggressive user-agents. This ties up crawler worker threads and connection pools for minutes per request while costing the defender near-zero bandwidth. + +Defensive properties: +- **Randomization**: Daily unique slow-response payloads or connection parameters defeat any static timeout or signature filters. +- **Canary tokens**: Unique strings embedded in every throttled response enable attribution. +- **Asymmetric cost**: Crawler pays in wall-clock time and concurrency; defender pays only a few KB per connection. +- **Integration with UA list**: Gated behind the aggressive-bot patterns from `known-aggressive-bot-user-agents.md`. + +All techniques are served behind `Disallow` paths and the aggressive_bot conditional logic. + +## 2 -- Daily Randomized Slow-Response Tarpit Generator (Python PoC) + +```bash +#!/usr/bin/env python3 +# generate_slow_tarpit.py +import asyncio, secrets, datetime, os +from pathlib import Path + +async def slow_handler(request, response): + today = datetime.date.today().isoformat() + canary = f"CoM-SLOW-{today}-{secrets.token_hex(8)}" + response.headers["Content-Type"] = "text/plain; charset=utf-8" + response.headers["X-Canary"] = canary + await response.write(b"Starting slow tarpit response... ") + for i in range(300): # ~5 minutes at 1 byte/sec + await asyncio.sleep(1) + chunk = f"{canary}-{i}\n".encode() + await response.write(chunk) + await response.write(b"\nEnd of daily randomized tarpit.\n") + +# Run with: python -m aiohttp.web -H 0.0.0.0 -P 8080 generate_slow_tarpit:slow_handler +``` + +For production, compile the same logic into an nginx lua script or Caddy streaming handler that only activates for `$aggressive_bot == 1`. + +## 3 -- Production nginx Configuration (lua + limit_rate) + +Add to the aggressive_bot map in the main virtual host: + +```nginx +location /slow-tarpit/ { + internal; + access_log /var/log/nginx/ai_slow.log combined if=$aggressive_bot; + + # Lua slow chunked response (requires lua-nginx-module) + content_by_lua_block { + local today = os.date("%Y-%m-%d") + local canary = "CoM-SLOW-" .. today .. "-" .. ngx.md5(ngx.var.remote_addr) + ngx.header["Content-Type"] = "text/plain" + ngx.header["X-Canary"] = canary + ngx.say("Slow tarpit started for " .. canary) + for i = 1, 300 do + ngx.sleep(1) + ngx.print(canary .. "-" .. i .. "\n") + ngx.flush(true) + end + } +} +``` + +Enable with `limit_rate 1k;` inside the location for additional throttling. + +## 4 -- Apache + mod_ratelimit + lua (or mod_proxy_fcgi) Example + +```apache + + SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless" aggressive_bot + + # mod_ratelimit (if available) or custom slow script via ScriptAlias + SetOutputFilter RATE_LIMIT + RateLimit 1K + Header set X-Canary "CoM-SLOW-%{DATE}e" + + +``` + +For full randomization, delegate to a small FastCGI or WSGI slow-tarpit script that embeds the daily canary. + +## 5 -- Verification, Attribution, and Maintenance + +1. Normal visitor: `curl -I -A "Mozilla/5.0..." https://example.com/` → fast 404 or content. +2. Aggressive bot: `curl -I -A "GPTBot/1.0" https://example.com/slow-tarpit/` → 200 with `X-Canary` header and slow body. +3. Log check: `tail -f /var/log/nginx/ai_slow.log` +4. Weekly rotation of canary namespace and UA list diff against Cloudflare Radar. +5. If a canary later appears in model output, the individual possesses verifiable proof of ingestion. + +## 6 -- References + +Derived from the primary dissertation Section 4.4 and the `slowloris-resource-exhaustion.md` technique paper. Randomization and canary strategy mirrors the decompression-bomb and malformed-content approaches for consistency across all active-denial layers. + +--- + +*Companion to `known-aggressive-bot-user-agents.md`, `howto-decompression-bombs.md`, `howto-malformed-content-attacks.md`, and the primary dissertation. Legal review required before production deployment.*