Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

From: Gutek <ange.gutek () gmail com>
Date: Thu, 14 Apr 2011 19:11:07 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 14/04/2011 18:31, Toni Ruottu a écrit :

Also, you mention some todo items in the comments. Are these still
relevant. Do you just want some light testing and feedback before
final polish, or is this still more like an early prototype?


Indeed, there are still some todos like adding some options but that's
not a big deal, so you've exactly spotted my feeling: waiting for
potential feedbacks and features expectations.

You are saying that performing the attack takes a long time. Slowloris
site links a video where Sam Bowne demonstrates the attack in front of
live audience, and it takes seconds rather than days. Is the nmap
script different, or is it a server-side thing?


It's server-side related. For a demo purpose, Sam did the same I do :
testing against a weakened target that can't handle an heavy load.

As you can see in my Output sample, the script just takes a matter of
minutes to drain the server out of ressources. But in the real world
there are many mechanisms that work like an immune system fighting
against the attack : smart webserver configurations that limit a given
client's queries, load balancers, any filtering system, pending sessions
held by legitimate users that (like Sam said) the Slowloris attack has
to wait for their release etc.

I am just asking these additional questions, so we could look at this
more efficiently while you are away. Have a good time abroad.

Thank you ! off topic, but I'll have to give courses, analysis and
presentations to something like 400 attendees and I must admit that I'm
a bit afraid...

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2nKqsACgkQ3aDTTO0ha7hdfACdEBHNszE8N/JlNtofayiT9JuH
DpoAn2V8UqUGF4V1e9SsFATy4UN9EkJb
=UP3e
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)
  - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 23)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack David Fifield (Apr 29)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 17)

(Thread continues...)