R.U.D.Y. attack

What is the R.U.D.Y. attack?

R.U.D.Y. (R-U-Dead Yet) is a common name for an application-layer denial-of-service attack that uses slow attack traffic to exhaust the target server’s connection pool, making it impossible for legitimate users to establish legitimate connections. This attack is more effective against thread-based web servers, which are designed to handle a smaller number of connections.

The original R.U.D.Y. tool was developed in 2011 by cybersecurity expert Raviv Raz and named after the Children of Bodom album Are You Dead Yet?

How does the R.U.D.Y. attack work?

There are two basic types of web servers used to handle HTTP connections: thread-based servers (e.g. Apache, Microsoft IIS, dhttpd) and event-based servers (e.g. Nginx, lighttpd). By design, thread-based servers are able to handle fewer connections than event-based servers because they open application threads for every connection. For example, the default number of concurrent connections for an Apache installation is only 150, compared to 512 for Nginx.

There are several different application-layer DoS attack techniques that work by keeping many connections open. The most basic method is the Slowloris attack (slow HTTP GET attack), which simply opens HTTP GET connections by sending HTTP headers but never closes them. The more advanced R.U.D.Y. is a slow HTTP POST attack where the attacker uses the Content-Length header in a POST request to declare a large request body which is then sent at a very slow rate.

The original R.U.D.Y tool divides data into numerous small packets and sends them in intervals of a few seconds, allowing it to keep the connection open for a long period of time. When many instances of the tool send such slow HTTP requests to the same web server, the server’s connection table or other server resources such as memory or CPU may be exhausted. If the attack succeeds, the server can no longer handle legitimate traffic. The attack may be performed from a single IP address or, to make it more difficult to detect and block, using bots or botnets spread over multiple IP addresses for a distributed denial-of-service attack (DDoS).

How to detect R.U.D.Y. attacks?

Web servers are susceptible to the R.U.D.Y. attack not because sustaining slow HTTP POST is some sort of vulnerability. In fact, servers should allow slow connections by design, for example to cater for users with low Internet speeds.

Slow HTTP DoS attacks such as R.U.D.Y. are not commonly detected by intrusion detection systems (IDS) because the attack doesn’t include any malformed requests or trigger any rate limit warnings. Web application vulnerability scanners also cannot directly help protect your websites, web applications, or APIs against such attacks. However, using tools like Invicti and Acunetix by Invicti, you can find and eliminate many other vulnerabilities that could be exploited during a DoS attack to try and cripple your web assets or extract data.

How to mitigate R.U.D.Y. attacks?

DDoS protection offered by cloud providers is most effective against packet flood attacks made using DDoS attack tools such as the Low-Orbit Ion Cannon or High-Orbit Ion Cannon that rely on TCP connections. For slow attacks like R.U.D.Y. or Slowloris, typical DoS protections may not work, notably because malicious long-form field submissions are very difficult to distinguish from legitimate slow Internet connections. Also, basic methods such as limiting the number of requests from a single IP will not work if R.U.D.Y. is performed as a distributed denial-of-service attack.

The most effective mitigation method for slow connection attacks is to eliminate all slow data rate connections by carefully configuring timeouts for the web server and operating system. However, this approach has the obvious downside of potentially leaving legitimate users with slow Internet connections unable to use your website or web application. Click here to see how to configure Apache modules such as mod_reqtimeout to limit slow connections and mitigate Slowloris and R.U.D.Y attack attempts.

Another effective method is to use event-based server software such as Nginx, as that is less susceptible to slow DoS attacks. Even if you cannot change the server you are using, you can set up an Nginx reverse proxy to protect your web application. You can also use cloud content delivery networks and load balancers, which offer huge bandwidth and are able to handle a large number of connections.

Frequently asked questions

What are R.U.D.Y. attacks?

R.U.D.Y. attacks are denial-of-service attacks performed against web servers by sending data very slowly to generate lots of open connections and exhaust server resources. R.U.D.Y. is most effective against thread-based servers like Apache and Microsoft IIS, and has a much smaller impact on event-based servers like Nginx. R.U.D.Y. is an application-layer DoS attack.
Learn more about application-layer DoS attacks

How dangerous are R.U.D.Y. attacks?

Attacks such as R.U.D.Y. or Slowloris can render the target server completely unresponsive, thus denying access to crucial data and services. Depending on the target, this can result in lost business and impact the reputation of a company or institution. Unlike other types of DoS attacks, such application-layer attacks cannot be detected or prevented using typical DDoS protection mechanisms offered by cloud providers, and they may also evade cybersecurity solutions such as IPS.
Find out more about a similar application-layer attack called Slowloris

How to prevent R.U.D.Y. attacks in Apache?

To mitigate R.U.D.Y. attacks in Apache, you can use several different modules: mod_reqtimeout to set timeouts for receiving HTTP request headers and the HTTP request body from a client, mod_qos to assign different priorities to different HTTP requests, and mod_security to detect attack attempts.
Learn how to set up Apache modules to mitigate R.U.D.Y. and Slowloris

Written by: Tomasz Andrzej Nidecki, reviewed by: Benjamin Daniel Mussler