Nmap Development mailing list archives

Re: [NSE] http-slowloris

From: Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>
Date: Mon, 16 Jul 2012 16:32:23 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is indeed great work guys. Kudos.

On 07/16/2012 04:29 PM, Aleksandar Nikolic wrote:

Hi all,

I am glad this makes you happy! It was an interesting task.

This has been merged into trunk as r29225.

Aleksandar

On Mon, Jul 16, 2012 at 4:24 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:

Thanks go to both of you. It is nice to see good work taken forward. Also, one more reason to
like nmap irc meetings. With enough people present at once it seems to be a lot easier to
plan script development.

On Mon, Jul 16, 2012 at 4:59 PM, Gmail Gutek <ange.gutek () gmail com> wrote:

Hi Aleksandar, You don't know how happy I am that you could achieve this work I've started
many monthes ago ! I had this project at heart but this was maybe too big a piece of meat
for my skills. It needed someone like you to relay on this project and I really want to
thank you for this achievement. As some of you may have noticed (or not...) I am rather
inactive since... Well, a long time now. There are some battles we can't win in this life.
I won't develop this private point but I just wanted to say that those simple things like a
project finaly led to its terms, can bring someone, somewhere, some shine and courage even
if you did not imagine that.

Thanks and congrats to you, Aleksandar, and to all of you Nmap devs.

Ange Gutek

-- Sent from my Ithing

Le 16 juil. 2012 à 15:26, Aleksandar Nikolic <nikolic.alek () gmail com> a écrit :

Hi all,

I've just commited the last changes to this script and I think it's ready.

As the name suggests, it performs a slowloris DoS attack against a http server.

As the script requires quite a few active connections, in order for it to work you need
to raise NSE's max parallelism setting by specifying a high --max-parallelism value. In
my tests the appropriate value was 400 to 500, but the more the merrier.

If you wish to actually test the script I suggest to set up apache server (I've used
latest version in ubuntu for my tests). Do note that latest Apache version is not
vulnerable, module mod_reqtimeout prevents this attack , so you need to disable it. 
mod_reqtimeout is enabled by default on all recent Apache instances as far as I can
tell. Also, in order to test the server against an actual slowloris attack, you should
raise the MaxClients option for the Apache to some large value (larger than what you are
using for --max-parallelism).

By default, the script will run until it detects that the server is unavailable (it runs
a thread that acts like a monitor that tries to get a reply from the server every 10
seconds and if it doesn't get a reply 4 times in a row, we consider the attack a success)
or until the timeout runs out (30 minutes by default (timelimit option)).

There's also an option to run the script forever (runforever option) which when set, will
run the attack indefinitely.

I'm attaching the script, so take a look and please share any ideas or improvements.

Thanks to everyone who helped debug an issue with assert failure due to sleep()ing
threads.


Aleksandar <http-slowloris.nse> _______________________________________________ Sent
through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev 
Archived at http://seclists.org/nmap-dev/

_______________________________________________ Sent through the nmap-dev mailing list 
http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at
http://seclists.org/nmap-dev/

_______________________________________________ Sent through the nmap-dev mailing list 
http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/



- -- 
? Arturo "Buanzo" Busleiman ? - MUSICA: soundcloud.com/no-carrier
Independent Linux and Security Consultant - 16+y of IT exp. at your service .
OWASPer - http://www.buanzo.com.ar/pro/eng.html                             ..:


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREKAAYFAlAEbEcACgkQAlpOsGhXcE3MWgCeKLrLi22ZX7xy123PhUAqnW9p
5KIAnRHqKiaPArolU9IjBNJbiDoUgEiR
=xTNz
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] http-slowloris Aleksandar Nikolic (Jul 16)
- Re: [NSE] http-slowloris Gmail Gutek (Jul 16)
  - Re: [NSE] http-slowloris Toni Ruottu (Jul 16)
    - Re: [NSE] http-slowloris Aleksandar Nikolic (Jul 16)
    - Re: [NSE] http-slowloris Arturo 'Buanzo' Busleiman (Jul 16)
- Re: [NSE] http-slowloris David Fifield (Jul 17)
  - Re: [NSE] http-slowloris Aleksandar Nikolic (Jul 17)
    - Message not available
    - Re: [NSE] http-slowloris Aleksandar Nikolic (Jul 17)
    - Re: [NSE] http-slowloris David Fifield (Jul 17)