Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

[Patrik Karlsson <patrik () cqure net>]

On Jun 12, 2011, at 4:04 PM, Gutek wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Le 10/06/2011 12:12, Henri Doreau a écrit :
> > I also have some suggestions:
> >  - it would be nice if the script could handle a global timeout, and
> > give up if the server is still vulnerable after this time.
> >  - also report results for non-vulnerable servers.
>
> I have a problem here with a global timeout to see if a given target is
> still (or is not) vulnerable: targets react very differently when facing
> this attack, some dying in minutes, some dying in hours. I don't know if
> we can define a time beyond which someone can say that a given target
> will not collapse.
> It's like considering a bridge and say "how many 38T trucks can it
> handle ?". We send 1, 2...10 without collapsing, but maybe the 100th
> would have crashed it.
> So where do I put the global cursor ?
> This would require asking the user about the presumed weakness of his
> server. For example, if he considers it "weak", then a 10 minutes max
> attack would be sufficient to state about this vulnerability. But if he
> considers it "strong", the script would have to run maybe a day long to
> be sure. But this means defining "weak" and "strong" in terms of
> numbers. Not speaking about "blind" conditions when testing an unkown
> target.
> On the other hand I agree that the attack can not last for ever. I just
> can't say "how" (in fact, "when") stop it.
>
> > Finally, I sometimes have the following error at the end of the
> > execution but lack time to investigate it further:
> > """
> > nmap --script http-slowloris-orig -p80 --max-parallelism 300 -vvv -dd
> > 192.168.1.1
> > <...>
> > NSE: Finished 'http-slowloris' worker (thread: 0x801a5b500) against
> > 192.168.1.1:80.
> > NSE: Script Engine Scan Aborted.
> > An error was thrown by the engine: ./nse_main.lua:298: attempt to
> > index field '?' (a nil value)
> > stack traceback:
> >        ./nse_main.lua:298: in function 'close'
> >        ./nse_main.lua:848: in function 'run'
> >        ./nse_main.lua:1133: in function <./nse_main.lua:1052>
> >        [C]: ?
> > """
> > Have you also seen this one?
> Yes, I have also got it. I have to investigate further on it when we
> will be done with the script's functionnalities, as it's non blocking by
> now.

I've seen similar stack traces when the main thread exits the action function before the worker threads have all 
stopped.
Don't know if this is the problem here though, I haven't looked close enough through the code.

> don't know why, but this famous quote comes to my mind "This is not
> mission difficult, Mr. Hunt, it's mission impossible" :)
>
> A.G.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk30x4EACgkQ3aDTTO0ha7gRUwCfSHuEdK1OKABaR2oQwblCF2N0
> pTYAnA6LUOsswVXU9T3/sr95VG0rPbqC
> =z9Kt
> -----END PGP SIGNATURE-----
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/



//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/