Demonstrates and provides solution to following DoS (Denial of Service) attacks in Go:
- Slowloris
- Large file
The solutions are trivially simple to implement in Go often consisting of a simple configuration directive or making use of a standard library function.
Slowloris
Send requests to the server extremely slow. The notable thing about this DoS is it takes very little resource in terms of memory or CPU. The goal is to send a large number of requests that all send extremely slow requests – thus making the server use all its connection while waiting on the requests to complete.
Solution: specify a read timeout. For example, on the standard Go web server, you can configure as follows with the directive “ReadTimeout: 1 * time.Second”:
srv := &http.Server{
Addr: ":3000",
Handler: mux,
ReadTimeout: 1 * time.Second,
//WriteTimeout: 10 * time.Second,
//IdleTimeout: 1 * time.Minute,
}
Large File
Send very large requests to server. The goal is to overwhelm the server as it tries to process the large requests often gigabytes in size. In contrast to Slowloris, this type of attack requires more memory and CPU to send large files from the client.
Solution: use LimitReader to limit the number of bytes to read from the request. For example, here we specify a 100K limit to the reader:
io.LimitReader(r.Body, 100_000)Source Code
The full source code and how to run the demos can be found here:
oak.dev 