Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

[Toni Ruottu <toni.ruottu () iki fi>]

I would change the output to something like

 | http-slowloris:
 |   Vulnerable
 |   The DoS attack took +3m40s
 |   with 32 concurrent connections
 |_  and 66 sent queries

On Sun, Apr 10, 2011 at 10:19 AM, Gutek <ange.gutek () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
> Here is an update about my slowloris attack script(*).
> The major update is the monitoring of the pending attack, and the
> current target's health. Slowloris could be by design a very long
> attack(**), hence this script should be lauchned with, at least, -d
> At the first level (-d1) the user will have a report from time to time
> with the main interesting datas: is the target still up, significant
> target slowdown meaning that the attack is starting to hurt the
> webserver and DoS successfull.
> With a deeper -d value (-d2), we have additional informations such as
> the number of effective concurrent connections (some will die when the
> webserver will become critical) and live server response time: this
> "heartbeat" is interesting to see if the attack is beginning to be
> efficient.
>
> The script works without the live infos provided by -d but again, as
> this is attack could take hours or days depending on what the target can
> handle I think that it is mandatory for the user to check what's going on.
>
>
> Sample Output (nmap -n -PN -p80 --script http-slowloris -d2 <target>)
>
> NSE: http-slowloris: target <host ip> is still
> up...
> NSE: http-slowloris: (nil special to report so far...)
>
> (only with -d2)
> NSE: http-slowloris: 2 EFFECTIVE CONNECTIONS
> NSE: http-slowloris: 3 EFFECTIVE CONNECTIONS
> NSE: http-slowloris: 4 EFFECTIVE CONNECTIONS
> NSE: http-slowloris: 5 EFFECTIVE CONNECTIONS
> NSE: http-slowloris: 6 EFFECTIVE CONNECTIONS
> NSE: http-slowloris: 7 EFFECTIVE CONNECTIONS
> ...
> NSE: http-slowloris: target <host ip> is still up...
>
> (starting to maintain the http connection by filling the header more and
> more)
> NSE: http-slowloris: HTTP stream started.
> (only with -d2) NSE: http-slowloris: server responsive (306 ms).
> (only with -d2) NSE: http-slowloris: server responsive (457 ms).
> (only with -d2) NSE: http-slowloris: server responsive (860 ms).
> (only with -d2) NSE: http-slowloris: SERVER SLOWING DOWN by 108 percent
> (860 ms).
>
> ...
> ...
> NSE: http-slowloris: target <host ip> is still
> up...
>
> NSE: http-slowloris: <host ip> has slowed down by 108%
>
> (a bunch of socket errors as connections are going down)
>
> NSE: http-slowloris: target <host ip> is still up...
>
> (the script tries to replace broken connections)
> NSE: http-slowloris: HTTP stream started.
> (only with -d2) NSE: http-slowloris: SERVER SLOWING DOWN by 387 percent
> (3733 ms).
>
> (a bunch of errors, same reason)
> NSE: http-slowloris: DoS CONDITION REACHED ! server down.
>
> Nmap scan report for <host name> (<host ip>)
> Host is up, received user-set (0.14s latency).
> Scanned at 2011-04-10 08:09:40 CEST for 220s
> PORT   STATE SERVICE REASON
> 80/tcp open  http    syn-ack
> | http-slowloris:
> |   Target was DoSed:
> |   the attack took +3m40s
> |   with 32 concurrent connections
> |_  with 66 queries sent
>
>
> (*)
>
> https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris
> (**)
>
> http://ha.ckers.org/slowloris/
>
>
> Regards,
>
> A.G.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.12 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2hWf0ACgkQ3aDTTO0ha7hvUwCePLGzXlAZIS/Y32/gdg78tdil
> UcEAn1CNj60rAQWGYgCVGO5pyP+Ij0Gu
> =SfgB
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/