Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Sat, 30 Apr 2011 11:38:09 +0300
So the current hypothesis would be that NSE has some hidden connection
limit, that perl does not have?

On Sat, Apr 30, 2011 at 10:59 AM, Gutek <ange.gutek () gmail com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 29/04/2011 20:36, David Fifield a écrit :

I tried this against Apache and thttpd and it seems to get to 22
connections and then nto make any more progress, and the server remains
responsive? What do you recommend I should try to make this test work?
I attach Nmap and thttpd logs.

David Fifield

The slowloris attack is based on memory consumption or exhaustion of
allowed connexions (MaxClients argument inside httpd.conf, often set on
shared hosting solutions for example)

The memory consumption condition is a problem when attacking a home test
sever, as in this scenario the webserver has gigas to handle the load
and so has nearly no ressources limit.
Conditions and ressources available are very different when dealing with
dedicated hosts, virtual private servers or shared hosting (I do my
tests against my own weakened vps abroad). In a sense they are weaker
than a home test server because they are more exposed to heavy load with
lower ressources allowed.
That's why they try to protect those ressources against such attacks
with load balancers, iptables rules and configuration rules (MaxClients,
MaxKeepAliveRequests, KeepAliveTimeout )

In your test it seems that, although being unsuccessfull, the server was
stressed enough to slow down by about 2200%. However, the attack load
was insufficient due to the low number of concurrent connexions (22).

And here comes my big problem: until then, I did not notice that this
number was, in fact, stuck at this number and never more !

I have done several other tests since yesterday and compared the streams
with wireshark between the original slowloris.pl and my nse script: they
both send exactly the same payloads...except that slowloris.pl goes
beyond the 22 connexions. I can't explain why.

In case an expert is kind enough to find an explanation, I'm attaching
both the script and the original slowloris.pl

<lost>A.G.</lost>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk27wVAACgkQ3aDTTO0ha7i6EgCeJoZZMNoTsZCbVTPKfiaHnKqJ
TScAn2WDcxp5qTLdaKxsjSNvJO59r4Tb
=ePzk
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: