Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Mon, 23 May 2011 01:36:06 +0300

Thank you. This was useful analyses.

On Mon, May 23, 2011 at 12:35 AM, Gutek <ange.gutek () gmail com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 22/05/2011 16:27, Toni Ruottu a écrit :

Can we/did you do performance testing to compare this with original
slowloris? Maybe just running both a couple of times against the same
target, and comparing the times, would do.

Hard to say. Besides they obviousy share the same core principle, they
work differently mainly because of the monitoring function in the nse
version.
This monitoring function aims to stop the attack when it seems to be
successfull but it doesn't give the exact moment the webserver is down:
it's a matter of timeouts and sockets dying. The original perl script is
blind and attacks "forever".

The original perl script also proposes some "expert" tuning options that
are not implemented in the nse (delay between concurrent connections,
timeout measurement to feed "on the edge" during the attack, etc.).
Against specific targets they make the original script obviously more
efficient, but I think a nse script doesn't need them : we are in the
case where a proper third party tool is better than a complex nmap
command line with a bunch of script-args.

If I would have to give a comparison, I would say that, like most of the
nse scripts, the original tool is better for a specific attack and the
nse version is more usefull to test and report a potential issue.

A.G.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk3ZgaEACgkQ3aDTTO0ha7iRrQCeIuvmuJ5ac9eysZykw3rpFIBX
du8An099VpuQbFLXrTsKdfKSnw2e33m4
=yjvq
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack, (continued)
- - - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Apr 30)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 17)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 17)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 22)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 22)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (May 22)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (May 22)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrick Donnelly (May 23)
    - Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrick Donnelly (May 01)