Nmap Development mailing list archives
Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Ron <ron () skullsecurity net>
Date: Fri, 17 Jun 2011 12:00:14 -0500
Scripts that check whether a server stops responding tend to be prone to false positives. So make sure you're careful on the output. (I haven't completely read the discussion, so you may have already talked about that - just wanted to be sure) Ron On Sun, 20 Mar 2011 07:51:49 +0100 Gutek <ange.gutek () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, As requested on the NSE Wiki ( https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris ), here is a draft for a script triggering the Slowloris denial of service attack. As a draft, currently it just launches the attack without taking care whether it's a success or not, hence this draft will not produce any output and will run 'forever'. Monitoring is made with the debugging option (-d). Script header: - ------------------- description = [[ Tests a webserver against the Slowloris DoS attack, as it was described at Defcon 17 by RSnake (see http://ha.ckers.org/slowloris/) This script opens and maintains numerous 'half-http' connections until the webserver runs out of ressources, leading to a denial of service. When the DoS condition is met the script then stops the attack and returns the payload datas as they could be usefull to tweak further filtering rules: - - Time taken until DoS - - Number of threads used - - Number of queries sent (or: amount of datas sent, in bytes) TODO o Add a stopping mechanism + reserve a thread to monitor the webserver from time to time. If not responding, then stop. o Analyze the threads: if the number of effective connections is lower than required by the script, maybe notify of a potential filtering rule ahead. o Add user-supplied arguments: + threads, the max number of concurrent connections on the target: on Windows it seems to be limited to 130 + timeout, time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds, but could be measured as slowloris.pl does ]] - --- - -- @usage - -- nmap --script http-slowloris --script-args http-slowloris.threads=500 http-slowloris.timeout=200 <target> - -- - -- @args http-slowloris.threads The max number of concurrent connections on the target: on Windows it seems to be limited to 130. - -- @args http-slowloris.timeout Time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds. - -- - --@output - -- 80/tcp open http syn-ack - -- | http-slowloris: Target was DoSed: - -- | the attack took <time> to succeed - -- | with <threads> concurrent connections - -- |_ with <queries||bytes> sent As you can see at this time the script is pretty simple with just, say, the main core. I think it's the best moment to call for contributors, as it's still easy to understand. So...anyone wants to help ? _o/ Regards, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk2FpAUACgkQ3aDTTO0ha7ji9wCfTj+4cjvLtEpmNI1jhadloy9q gZEAnRq7AkvKFXt2fLMhOjSWxLwmhKOj =0Plc -----END PGP SIGNATURE-----
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Ange Gutek (Jun 03)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- Message not available
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- Message not available
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrick Donnelly (Jun 11)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Jun 12)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Jun 12)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 17)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- <Possible follow-ups>
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Ron (Jun 17)