Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Sat, 19 Nov 2011 19:04:29 +0200

David, I do not fully understand what you are after. Could you kindly
describe how a perfect version of this script would work.
On 8 Oct 2011 03:45, "David Fifield" <david () bamsoftware com> wrote:

On Fri, Jun 17, 2011 at 06:54:59PM +0200, Henri Doreau wrote:

2011/6/12 Gutek <ange.gutek () gmail com>:

So where do I put the global cursor ?
This would require asking the user about the presumed weakness of his
server. For example, if he considers it "weak", then a 10 minutes max
attack would be sufficient to state about this vulnerability. But if he
considers it "strong", the script would have to run maybe a day long to
be sure. But this means defining "weak" and "strong" in terms of
numbers. Not speaking about "blind" conditions when testing an unkown
target.
On the other hand I agree that the attack can not last for ever. I just
can't say "how" (in fact, "when") stop it.

Ok, as you understood I meant "give up if the server is still alive".

The attack will reach a stable state (max number of alive connections)
after a while. Wouldn't that make sense to give up and consider that
the server is not vulnerable if the target is still alive at this
point? It wouldn't mean that the target is not vulnerable to slowloris
attacks, but it not with the selected
--max-parallelism/MAX_ATTACK_THREADS combo.


I agree with this. I want to add this script, but right now it is only
capable of returning "Vulnerable" (or running forever, I suppose). I
tried it against my web server. It didn't seem to slow down the server,
but the report came back "Vulnerable" after about 5 minutes. Maybe the
fact that all the worker threads died is not a reliable indication that
the server shut down?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack David Fifield (Oct 07)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Toni Ruottu (Nov 19)