Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

[Ron <ron () skullsecurity net>]

Scripts that check whether a server stops responding tend to be prone to false positives. So make sure you're careful 
on the output. 

(I haven't completely read the discussion, so you may have already talked about that - just wanted to be sure)

Ron

On Sun, 20 Mar 2011 07:51:49 +0100 Gutek <ange.gutek () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi folks,
>
> As requested on the NSE Wiki (
> https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris ), here is a
> draft for a script triggering the Slowloris denial of service attack.
> As a draft, currently it just launches the attack without taking care
> whether it's a success or not, hence this draft will not produce any
> output and will run 'forever'. Monitoring is made with the debugging
> option (-d).
>
> Script header:
> - -------------------
> description = [[
> Tests a webserver against the Slowloris DoS attack, as it was
> described at Defcon 17 by RSnake
> (see http://ha.ckers.org/slowloris/)
>
> This script opens and maintains numerous 'half-http' connections until
> the webserver runs out of ressources,
> leading to a denial of service.
> When the DoS condition is met the script then stops the attack and
> returns the payload datas as they could be usefull to tweak further
> filtering rules:
> - - Time taken until DoS
> - - Number of threads used
> - - Number of queries sent (or: amount of datas sent, in bytes)
>
> TODO
> o Add a stopping mechanism
>   + reserve a thread to monitor the webserver from time to time. If
> not responding, then stop.
> o Analyze the threads: if the number of effective connections is lower
> than required by the script, maybe notify of a potential filtering
> rule ahead.
> o Add user-supplied arguments:
>   + threads, the max number of concurrent connections on the target:
> on Windows it seems to be limited to 130
>   + timeout, time to wait before sending new http header datas in
> order to maintain the connection. Defaults to 100 seconds, but could
> be measured as slowloris.pl does
>
> ]]
>
> - ---
> - -- @usage
> - -- nmap --script http-slowloris --script-args
> http-slowloris.threads=500 http-slowloris.timeout=200 <target>
> - --
> - -- @args http-slowloris.threads The max number of concurrent
> connections on the target: on Windows it seems to be limited to 130.
> - -- @args http-slowloris.timeout Time to wait before sending new http
> header datas in order to maintain the connection. Defaults to 100
> seconds.
> - --
> - --@output
> - -- 80/tcp  open   http    syn-ack
> - -- |  http-slowloris: Target was DoSed:
> - -- |  the attack took <time> to succeed
> - -- |  with <threads> concurrent connections
> - -- |_ with <queries||bytes> sent
>
> As you can see at this time the script is pretty simple with just,
> say, the main core. I think it's the best moment to call for
> contributors, as it's still easy to understand.
> So...anyone wants to help ? _o/
>
> Regards,
>
> A.G.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.12 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2FpAUACgkQ3aDTTO0ha7ji9wCfTj+4cjvLtEpmNI1jhadloy9q
> gZEAnRq7AkvKFXt2fLMhOjSWxLwmhKOj
> =0Plc
> -----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/