Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-slowloris

From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Tue, 17 Jul 2012 17:04:33 +0200
That is odd, not sure what would cause it to hang forever.
Will try to replicate this behavior and see what's up.

Thanks,
Aleksandar

On Tue, Jul 17, 2012 at 4:55 PM, David Fifield <david () bamsoftware com> wrote:

On Mon, Jul 16, 2012 at 03:26:47PM +0200, Aleksandar Nikolic wrote:

Hi all,

I've just commited the last changes to this script
and I think it's ready.

As the name suggests, it performs a slowloris DoS attack against a
http server.

As the script requires quite a few active connections, in order
for it to work you need to raise NSE's max parallelism setting
by specifying a high --max-parallelism value.
In my tests the appropriate value was 400 to 500, but the more
the merrier.


Nice work, Aleksandar.

I found some surprising behavior when I kill the web server in the
middle of the test.

thttpd -p 8080 -D -l /dev/stdout
./nmap --script=http-slowloris --max-parallelism 400 localhost -p 8080 -d

When I ctrl-C the server, I see a ton of these messages (with the "still
remain" counter decrementing):

NSE: MONITOR:  (monitor on 127.0.0.1): Monitoring has shut down due to lack of response from the webserver.
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, 399 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, 398 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, 397 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!

This goes on and on until finally:

NSE: HALF_HTTP: : lost connection, -623 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, -624 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, -625 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, -626 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE Timing: About 99.90% done; ETC: 07:47 (0:00:00 remaining)
NSE Timing: About 99.90% done; ETC: 07:47 (0:00:00 remaining)
NSE Timing: About 99.90% done; ETC: 07:48 (0:00:00 remaining)

And then it appears to hang forever.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: