Nmap Development mailing list archives
Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Gutek <ange.gutek () gmail com>
Date: Sat, 30 Apr 2011 09:59:12 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 29/04/2011 20:36, David Fifield a écrit :
I tried this against Apache and thttpd and it seems to get to 22 connections and then nto make any more progress, and the server remains responsive? What do you recommend I should try to make this test work? I attach Nmap and thttpd logs. David Fifield
The slowloris attack is based on memory consumption or exhaustion of allowed connexions (MaxClients argument inside httpd.conf, often set on shared hosting solutions for example) The memory consumption condition is a problem when attacking a home test sever, as in this scenario the webserver has gigas to handle the load and so has nearly no ressources limit. Conditions and ressources available are very different when dealing with dedicated hosts, virtual private servers or shared hosting (I do my tests against my own weakened vps abroad). In a sense they are weaker than a home test server because they are more exposed to heavy load with lower ressources allowed. That's why they try to protect those ressources against such attacks with load balancers, iptables rules and configuration rules (MaxClients, MaxKeepAliveRequests, KeepAliveTimeout ) In your test it seems that, although being unsuccessfull, the server was stressed enough to slow down by about 2200%. However, the attack load was insufficient due to the low number of concurrent connexions (22). And here comes my big problem: until then, I did not notice that this number was, in fact, stuck at this number and never more ! I have done several other tests since yesterday and compared the streams with wireshark between the original slowloris.pl and my nse script: they both send exactly the same payloads...except that slowloris.pl goes beyond the 22 connexions. I can't explain why. In case an expert is kind enough to find an explanation, I'm attaching both the script and the original slowloris.pl <lost>A.G.</lost> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk27wVAACgkQ3aDTTO0ha7i6EgCeJoZZMNoTsZCbVTPKfiaHnKqJ TScAn2WDcxp5qTLdaKxsjSNvJO59r4Tb =ePzk -----END PGP SIGNATURE-----
Attachment:
slowloris.pl
Description:
Attachment:
http-slowloris.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 23)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack David Fifield (Apr 29)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 17)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 17)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 22)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 22)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 14)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Apr 10)