Nmap Development mailing list archives
[NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Gutek <ange.gutek () gmail com>
Date: Sun, 20 Mar 2011 07:51:49 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, As requested on the NSE Wiki ( https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris ), here is a draft for a script triggering the Slowloris denial of service attack. As a draft, currently it just launches the attack without taking care whether it's a success or not, hence this draft will not produce any output and will run 'forever'. Monitoring is made with the debugging option (-d). Script header: - ------------------- description = [[ Tests a webserver against the Slowloris DoS attack, as it was described at Defcon 17 by RSnake (see http://ha.ckers.org/slowloris/) This script opens and maintains numerous 'half-http' connections until the webserver runs out of ressources, leading to a denial of service. When the DoS condition is met the script then stops the attack and returns the payload datas as they could be usefull to tweak further filtering rules: - - Time taken until DoS - - Number of threads used - - Number of queries sent (or: amount of datas sent, in bytes) TODO o Add a stopping mechanism + reserve a thread to monitor the webserver from time to time. If not responding, then stop. o Analyze the threads: if the number of effective connections is lower than required by the script, maybe notify of a potential filtering rule ahead. o Add user-supplied arguments: + threads, the max number of concurrent connections on the target: on Windows it seems to be limited to 130 + timeout, time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds, but could be measured as slowloris.pl does ]] - --- - -- @usage - -- nmap --script http-slowloris --script-args http-slowloris.threads=500 http-slowloris.timeout=200 <target> - -- - -- @args http-slowloris.threads The max number of concurrent connections on the target: on Windows it seems to be limited to 130. - -- @args http-slowloris.timeout Time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds. - -- - --@output - -- 80/tcp open http syn-ack - -- | http-slowloris: Target was DoSed: - -- | the attack took <time> to succeed - -- | with <threads> concurrent connections - -- |_ with <queries||bytes> sent As you can see at this time the script is pretty simple with just, say, the main core. I think it's the best moment to call for contributors, as it's still easy to understand. So...anyone wants to help ? _o/ Regards, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk2FpAUACgkQ3aDTTO0ha7ji9wCfTj+4cjvLtEpmNI1jhadloy9q gZEAnRq7AkvKFXt2fLMhOjSWxLwmhKOj =0Plc -----END PGP SIGNATURE-----
Attachment:
http-slowloris.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Mar 19)