Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

From: David Fifield <david () bamsoftware com>
Date: Fri, 29 Apr 2011 11:36:43 -0700

On Sat, Apr 23, 2011 at 05:18:38PM +0200, Gutek wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Here is an updated version with user-supplied arguments and Toni's
suggestions about the output while attacking:
- - Verbosity level 1, a status reminder
- - Verbosity level 2, a real-time monitor

Also the final script output has been modified accordingly.

Sample :
- -- Initiating NSE at 09:42                                          
- -- NSE: http-slowloris(status reminder): target <ip> is still up...
- -- NSE: http-slowloris(status reminder): (initial target response time
is 263ms)
- -- NSE: http-slowloris: 22 effective
connections                               
- -- NSE: http-slowloris(status reminder): target <ip> is still up...
- -- NSE: http-slowloris(status reminder): HTTP stream started.
- -- NSE: http-slowloris(status reminder): <ip> has slowed down by 290%
- -- Verbosity Increased to 2.                                        
- -- NSE: http-slowloris(monitor): server has recovered its
responsiveness (304ms).
- -- NSE: http-slowloris(monitor): server slowing down by 367%
(965ms).           
- -- NSE: http-slowloris: lost connection, 21 still
remain                        
- -- NSE: http-slowloris(monitor): server slowing down by 405%
(1064ms).          
- -- NSE: http-slowloris: 22 effective
connections                                
- -- (...)                        
- -- NSE: http-slowloris(monitor): server slowing down by 2418%
(6359ms).         
- -- NSE: http-slowloris(monitor): server slowing down by 2418% (6359ms).
- -- NSE: http-slowloris(monitor): DoS CONDITION REACHED ! server down.
- -- 80/tcp  open   http    syn-ack
- -- |  http-slowloris: Vulnerable:
- -- |  the DoS attack took <time>
- -- |  with <threads> concurrent connections
- -- |_ and <queries> sent queries


I tried this against Apache and thttpd and it seems to get to 22
connections and then nto make any more progress, and the server remains
responsive? What do you recommend I should try to make this test work?
I attach Nmap and thttpd logs.

David Fifield

Attachment: slowloris.nmap
Description:

Attachment: slowloris.thttpd
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)
  - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 23)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack David Fifield (Apr 29)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 17)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 17)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 22)

(Thread continues...)