Nmap Development mailing list archives
Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Thu, 14 Apr 2011 18:41:38 +0300
Also, I wonder if the script should use verbose output instead of debugging output. On Sun, Apr 10, 2011 at 5:44 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:
I would change the output to something like | http-slowloris: | Vulnerable | The DoS attack took +3m40s | with 32 concurrent connections |_ and 66 sent queries On Sun, Apr 10, 2011 at 10:19 AM, Gutek <ange.gutek () gmail com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Here is an update about my slowloris attack script(*). The major update is the monitoring of the pending attack, and the current target's health. Slowloris could be by design a very long attack(**), hence this script should be lauchned with, at least, -d At the first level (-d1) the user will have a report from time to time with the main interesting datas: is the target still up, significant target slowdown meaning that the attack is starting to hurt the webserver and DoS successfull. With a deeper -d value (-d2), we have additional informations such as the number of effective concurrent connections (some will die when the webserver will become critical) and live server response time: this "heartbeat" is interesting to see if the attack is beginning to be efficient. The script works without the live infos provided by -d but again, as this is attack could take hours or days depending on what the target can handle I think that it is mandatory for the user to check what's going on. Sample Output (nmap -n -PN -p80 --script http-slowloris -d2 <target>) NSE: http-slowloris: target <host ip> is still up... NSE: http-slowloris: (nil special to report so far...) (only with -d2) NSE: http-slowloris: 2 EFFECTIVE CONNECTIONS NSE: http-slowloris: 3 EFFECTIVE CONNECTIONS NSE: http-slowloris: 4 EFFECTIVE CONNECTIONS NSE: http-slowloris: 5 EFFECTIVE CONNECTIONS NSE: http-slowloris: 6 EFFECTIVE CONNECTIONS NSE: http-slowloris: 7 EFFECTIVE CONNECTIONS ... NSE: http-slowloris: target <host ip> is still up... (starting to maintain the http connection by filling the header more and more) NSE: http-slowloris: HTTP stream started. (only with -d2) NSE: http-slowloris: server responsive (306 ms). (only with -d2) NSE: http-slowloris: server responsive (457 ms). (only with -d2) NSE: http-slowloris: server responsive (860 ms). (only with -d2) NSE: http-slowloris: SERVER SLOWING DOWN by 108 percent (860 ms). ... ... NSE: http-slowloris: target <host ip> is still up... NSE: http-slowloris: <host ip> has slowed down by 108% (a bunch of socket errors as connections are going down) NSE: http-slowloris: target <host ip> is still up... (the script tries to replace broken connections) NSE: http-slowloris: HTTP stream started. (only with -d2) NSE: http-slowloris: SERVER SLOWING DOWN by 387 percent (3733 ms). (a bunch of errors, same reason) NSE: http-slowloris: DoS CONDITION REACHED ! server down. Nmap scan report for <host name> (<host ip>) Host is up, received user-set (0.14s latency). Scanned at 2011-04-10 08:09:40 CEST for 220s PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-slowloris: | Target was DoSed: | the attack took +3m40s | with 32 concurrent connections |_ with 66 queries sent (*) https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris (**) http://ha.ckers.org/slowloris/ Regards, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk2hWf0ACgkQ3aDTTO0ha7hvUwCePLGzXlAZIS/Y32/gdg78tdil UcEAn1CNj60rAQWGYgCVGO5pyP+Ij0Gu =SfgB -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 23)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack David Fifield (Apr 29)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)