What Is the R.U.D.Y. Attack

R.U.D.Y. (R-U-Dead Yet) is a denial-of-service attack tool. Unlike most DoS and DDoS attack tools, the R.U.D.Y. attack tool uses Layer 7 (it is an application layer attack).

The attack technique of the R.U.D.Y. tool is very similar to the Slowloris attack. It uses slow attack traffic and its aim is not to flood the web server but to exhaust the number of connections making it impossible for legitimate users to establish connections.

How Does the R.U.D.Y. Attack Work

  1. The attacker points the R.U.D.Y. attack tool at an URL.
  2. The tool starts crawling the website or web application until it finds form fields.
  3. The tool then creates an HTTP POST request with the content-length HTTP header set to a very large value.
  4. The tool begins form submission but sends form data at a very slow rate. It divides data into numerous small packets and sends them a few seconds after one another. This makes it possible for the tool to keep the connection open for a long period of time.
  5. With many instances of the tool doing the same slow HTTP requests, the HTTP server’s connection table or other server resources (depending on your technology stack) are exhausted. As a result, the server can no longer handle legitimate traffic.
  6. The attack may be performed from one IP address or, to make it more difficult to protect against, from several IP addresses as a distributed denial-of-service attack.

Defending Against the R.U.D.Y. Attack

Typical DDoS protection does not work as effectively in the case of attacks such as R.U.D.Y. or Slowloris as in the case of simpler attack types such as the Low-Orbit Ion Cannon. Long form field submissions are very difficult to distinguish from legitimate slow Internet connections. Also, simple methods such as limiting the number of requests from a single IP will not work if the R.U.D.Y. attack is performed as a distributed denial-of-service attack.

The most effective mitigation method for slow connection attacks is to eliminate all slow connections by carefully configuring the web server and the operating system to limit timeout values. However, the side effect of such an approach is that legitimate users with slow Internet connections may be unable to use the website or web application.

Another effective method is to use software that is less susceptible to such DoS attacks, for example, nginx. If you cannot change the server that you are using, you can set up an nginx reverse proxy to protect your web application. You can also use cloud content delivery networks, which are able to handle a large number of connections.

Is R.U.D.Y. a Web Vulnerability?

Web servers are susceptible to the R.U.D.Y. attack not because they have some kind of vulnerability. Servers, by design, should allow slow connections because there are users with low Internet speeds.

Therefore, unfortunately, there are no web application vulnerability scanners that can help you protect your website or web application against such attacks. However, using Acunetix you can eliminate a lot of other vulnerabilities that may be used along with a DoS attack to try to cripple your web assets.

Tomasz Andrzej Nidecki
Technical Content Writer

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.

*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: