SubINaclS/Lyre
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1877d31968
Lyre/techniques/slowloris/howto_slowloris_attacks.md

98 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Slowloris-Style Resource Exhaustion Attacks: Production-Ready PoC, Randomization, and Defensive Deployment
The Church of Malware (CoM) does not condone the use or introduction of primates onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This technical companion document provides complete, production-ready proof-of-concept code, daily randomization strategies, and defensive deployment instructions for individual content creators. It focuses on server-side slowloris-style connection holding, partial response throttling, and keep-alive abuse to impose asymmetric time and bandwidth costs on non-compliant AI crawlers.
## 1 -- Technical Foundation and Defensive Rationale
Slowloris-style attacks (originally a client-side DoS) are reversed here: the origin server deliberately holds connections open or transmits responses at a trickle rate (110 bytes/second) exclusively to aggressive user-agents. This ties up crawler worker threads and connection pools for minutes per request while costing the defender near-zero bandwidth.
Defensive properties:
- **Randomization**: Daily unique slow-response payloads or connection parameters defeat any static timeout or signature filters.
- **Canary tokens**: Unique strings embedded in every throttled response enable attribution.
- **Asymmetric cost**: Crawler pays in wall-clock time and concurrency; defender pays only a few KB per connection.
- **Integration with UA list**: Gated behind the aggressive-bot patterns from `known-aggressive-bot-user-agents.md`.
All techniques are served behind `Disallow` paths and the aggressive_bot conditional logic.
## 2 -- Daily Randomized Slow-Response Tarpit Generator (Python PoC)
```bash
#!/usr/bin/env python3
# generate_slow_tarpit.py
import asyncio, secrets, datetime, os
from pathlib import Path
async def slow_handler(request, response):
today = datetime.date.today().isoformat()
canary = f"CoM-SLOW-{today}-{secrets.token_hex(8)}"
response.headers["Content-Type"] = "text/plain; charset=utf-8"
response.headers["X-Canary"] = canary
await response.write(b"Starting slow tarpit response... ")
for i in range(300): # ~5 minutes at 1 byte/sec
await asyncio.sleep(1)
chunk = f"{canary}-{i}\n".encode()
await response.write(chunk)
await response.write(b"\nEnd of daily randomized tarpit.\n")
# Run with: python -m aiohttp.web -H 0.0.0.0 -P 8080 generate_slow_tarpit:slow_handler
```
For production, compile the same logic into an nginx lua script or Caddy streaming handler that only activates for `$aggressive_bot == 1`.
## 3 -- Production nginx Configuration (lua + limit_rate)
Add to the aggressive_bot map in the main virtual host:
```nginx
location /slow-tarpit/ {
internal;
access_log /var/log/nginx/ai_slow.log combined if=$aggressive_bot;
# Lua slow chunked response (requires lua-nginx-module)
content_by_lua_block {
local today = os.date("%Y-%m-%d")
local canary = "CoM-SLOW-" .. today .. "-" .. ngx.md5(ngx.var.remote_addr)
ngx.header["Content-Type"] = "text/plain"
ngx.header["X-Canary"] = canary
ngx.say("Slow tarpit started for " .. canary)
for i = 1, 300 do
ngx.sleep(1)
ngx.print(canary .. "-" .. i .. "\n")
ngx.flush(true)
end
}
}
```
Enable with `limit_rate 1k;` inside the location for additional throttling.
## 4 -- Apache + mod_ratelimit + lua (or mod_proxy_fcgi) Example
```apache
<Location /slow-tarpit/>
SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless" aggressive_bot
<If "%{ENV:aggressive_bot} == 1">
# mod_ratelimit (if available) or custom slow script via ScriptAlias
SetOutputFilter RATE_LIMIT
RateLimit 1K
Header set X-Canary "CoM-SLOW-%{DATE}e"
</If>
</Location>
```
For full randomization, delegate to a small FastCGI or WSGI slow-tarpit script that embeds the daily canary.
## 5 -- Verification, Attribution, and Maintenance
1. Normal visitor: `curl -I -A "Mozilla/5.0..." https://example.com/` → fast 404 or content.
2. Aggressive bot: `curl -I -A "GPTBot/1.0" https://example.com/slow-tarpit/` → 200 with `X-Canary` header and slow body.
3. Log check: `tail -f /var/log/nginx/ai_slow.log`
4. Weekly rotation of canary namespace and UA list diff against Cloudflare Radar.
5. If a canary later appears in model output, the individual possesses verifiable proof of ingestion.
## 6 -- References
Derived from the primary dissertation Section 4.4 and the `slowloris-resource-exhaustion.md` technique paper. Randomization and canary strategy mirrors the decompression-bomb and malformed-content approaches for consistency across all active-denial layers.
*Companion to `known-aggressive-bot-user-agents.md`, `howto-decompression-bombs.md`, `howto-malformed-content-attacks.md`, and the primary dissertation. Legal review required before production deployment.*
Reference in New Issue View Git Blame Copy Permalink