SubINaclS/Lyre
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
96541fdc75
Lyre/techniques/slowloris/howto_slowloris_attacks.md

4.9 KiB
Raw Blame History

Slowloris-Style Resource Exhaustion Attacks: Production-Ready PoC, Randomization, and Defensive Deployment

The Church of Malware (CoM) does not condone the use or introduction of primates onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This technical companion document provides complete, production-ready proof-of-concept code, daily randomization strategies, and defensive deployment instructions for individual content creators. It focuses on server-side slowloris-style connection holding, partial response throttling, and keep-alive abuse to impose asymmetric time and bandwidth costs on non-compliant AI crawlers.

1 -- Technical Foundation and Defensive Rationale

Slowloris-style attacks (originally a client-side DoS) are reversed here: the origin server deliberately holds connections open or transmits responses at a trickle rate (110 bytes/second) exclusively to aggressive user-agents. This ties up crawler worker threads and connection pools for minutes per request while costing the defender near-zero bandwidth.

Defensive properties:

  • Randomization: Daily unique slow-response payloads or connection parameters defeat any static timeout or signature filters.
  • Canary tokens: Unique strings embedded in every throttled response enable attribution.
  • Asymmetric cost: Crawler pays in wall-clock time and concurrency; defender pays only a few KB per connection.
  • Integration with UA list: Gated behind the aggressive-bot patterns from known-aggressive-bot-user-agents.md.

All techniques are served behind Disallow paths and the aggressive_bot conditional logic.

2 -- Daily Randomized Slow-Response Tarpit Generator (Python PoC)

#!/usr/bin/env python3
# generate_slow_tarpit.py
import asyncio, secrets, datetime, os
from pathlib import Path

async def slow_handler(request, response):
    today = datetime.date.today().isoformat()
    canary = f"CoM-SLOW-{today}-{secrets.token_hex(8)}"
    response.headers["Content-Type"] = "text/plain; charset=utf-8"
    response.headers["X-Canary"] = canary
    await response.write(b"Starting slow tarpit response... ")
    for i in range(300):  # ~5 minutes at 1 byte/sec
        await asyncio.sleep(1)
        chunk = f"{canary}-{i}\n".encode()
        await response.write(chunk)
    await response.write(b"\nEnd of daily randomized tarpit.\n")

# Run with: python -m aiohttp.web -H 0.0.0.0 -P 8080 generate_slow_tarpit:slow_handler

For production, compile the same logic into an nginx lua script or Caddy streaming handler that only activates for $aggressive_bot == 1.

3 -- Production nginx Configuration (lua + limit_rate)

Add to the aggressive_bot map in the main virtual host:

location /slow-tarpit/ {
    internal;
    access_log /var/log/nginx/ai_slow.log combined if=$aggressive_bot;

    # Lua slow chunked response (requires lua-nginx-module)
    content_by_lua_block {
        local today = os.date("%Y-%m-%d")
        local canary = "CoM-SLOW-" .. today .. "-" .. ngx.md5(ngx.var.remote_addr)
        ngx.header["Content-Type"] = "text/plain"
        ngx.header["X-Canary"] = canary
        ngx.say("Slow tarpit started for " .. canary)
        for i = 1, 300 do
            ngx.sleep(1)
            ngx.print(canary .. "-" .. i .. "\n")
            ngx.flush(true)
        end
    }
}

Enable with limit_rate 1k; inside the location for additional throttling.

4 -- Apache + mod_ratelimit + lua (or mod_proxy_fcgi) Example

<Location /slow-tarpit/>
    SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless" aggressive_bot
    <If "%{ENV:aggressive_bot} == 1">
        # mod_ratelimit (if available) or custom slow script via ScriptAlias
        SetOutputFilter RATE_LIMIT
        RateLimit 1K
        Header set X-Canary "CoM-SLOW-%{DATE}e"
    </If>
</Location>

For full randomization, delegate to a small FastCGI or WSGI slow-tarpit script that embeds the daily canary.

5 -- Verification, Attribution, and Maintenance

  1. Normal visitor: curl -I -A "Mozilla/5.0..." https://example.com/ → fast 404 or content.
  2. Aggressive bot: curl -I -A "GPTBot/1.0" https://example.com/slow-tarpit/ → 200 with X-Canary header and slow body.
  3. Log check: tail -f /var/log/nginx/ai_slow.log
  4. Weekly rotation of canary namespace and UA list diff against Cloudflare Radar.
  5. If a canary later appears in model output, the individual possesses verifiable proof of ingestion.

6 -- References

Derived from the primary dissertation Section 4.4 and the slowloris-resource-exhaustion.md technique paper. Randomization and canary strategy mirrors the decompression-bomb and malformed-content approaches for consistency across all active-denial layers.

Companion to known-aggressive-bot-user-agents.md, howto-decompression-bombs.md, howto-malformed-content-attacks.md, and the primary dissertation. Legal review required before production deployment.