Nmap Development mailing list archives
Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: David Fifield <david () bamsoftware com>
Date: Fri, 29 Apr 2011 11:36:43 -0700
On Sat, Apr 23, 2011 at 05:18:38PM +0200, Gutek wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Here is an updated version with user-supplied arguments and Toni's suggestions about the output while attacking: - - Verbosity level 1, a status reminder - - Verbosity level 2, a real-time monitor Also the final script output has been modified accordingly. Sample : - -- Initiating NSE at 09:42 - -- NSE: http-slowloris(status reminder): target <ip> is still up... - -- NSE: http-slowloris(status reminder): (initial target response time is 263ms) - -- NSE: http-slowloris: 22 effective connections - -- NSE: http-slowloris(status reminder): target <ip> is still up... - -- NSE: http-slowloris(status reminder): HTTP stream started. - -- NSE: http-slowloris(status reminder): <ip> has slowed down by 290% - -- Verbosity Increased to 2. - -- NSE: http-slowloris(monitor): server has recovered its responsiveness (304ms). - -- NSE: http-slowloris(monitor): server slowing down by 367% (965ms). - -- NSE: http-slowloris: lost connection, 21 still remain - -- NSE: http-slowloris(monitor): server slowing down by 405% (1064ms). - -- NSE: http-slowloris: 22 effective connections - -- (...) - -- NSE: http-slowloris(monitor): server slowing down by 2418% (6359ms). - -- NSE: http-slowloris(monitor): server slowing down by 2418% (6359ms). - -- NSE: http-slowloris(monitor): DoS CONDITION REACHED ! server down. - -- 80/tcp open http syn-ack - -- | http-slowloris: Vulnerable: - -- | the DoS attack took <time> - -- | with <threads> concurrent connections - -- |_ and <queries> sent queries
I tried this against Apache and thttpd and it seems to get to 22 connections and then nto make any more progress, and the server remains responsive? What do you recommend I should try to make this test work? I attach Nmap and thttpd logs. David Fifield
Attachment:
slowloris.nmap
Description:
Attachment:
slowloris.thttpd
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 23)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack David Fifield (Apr 29)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 17)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 17)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 22)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)