Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Gutek <ange.gutek () gmail com>
Date: Sun, 20 Mar 2011 07:51:49 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

As requested on the NSE Wiki (
https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris ), here is a
draft for a script triggering the Slowloris denial of service attack.
As a draft, currently it just launches the attack without taking care
whether it's a success or not, hence this draft will not produce any
output and will run 'forever'. Monitoring is made with the debugging
option (-d).

Script header:
- -------------------
description = [[
Tests a webserver against the Slowloris DoS attack, as it was described
at Defcon 17 by RSnake
(see http://ha.ckers.org/slowloris/)

This script opens and maintains numerous 'half-http' connections until
the webserver runs out of ressources,
leading to a denial of service.
When the DoS condition is met the script then stops the attack and
returns the payload datas as they could be usefull to tweak further
filtering rules:
- - Time taken until DoS
- - Number of threads used
- - Number of queries sent (or: amount of datas sent, in bytes)

TODO
o Add a stopping mechanism
  + reserve a thread to monitor the webserver from time to time. If not
responding, then stop.
o Analyze the threads: if the number of effective connections is lower
than required by the script, maybe notify of a potential filtering rule
ahead.
o Add user-supplied arguments:
  + threads, the max number of concurrent connections on the target: on
Windows it seems to be limited to 130
  + timeout, time to wait before sending new http header datas in order
to maintain the connection. Defaults to 100 seconds, but could be
measured as slowloris.pl does

]]

- ---
- -- @usage
- -- nmap --script http-slowloris --script-args
http-slowloris.threads=500 http-slowloris.timeout=200 <target>
- --
- -- @args http-slowloris.threads The max number of concurrent
connections on the target: on Windows it seems to be limited to 130.
- -- @args http-slowloris.timeout Time to wait before sending new http
header datas in order to maintain the connection. Defaults to 100 seconds.
- --
- -- () output
- -- 80/tcp  open   http    syn-ack
- -- |  http-slowloris: Target was DoSed:
- -- |  the attack took <time> to succeed
- -- |  with <threads> concurrent connections
- -- |_ with <queries||bytes> sent

As you can see at this time the script is pretty simple with just, say,
the main core. I think it's the best moment to call for contributors, as
it's still easy to understand.
So...anyone wants to help ? _o/

Regards,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2FpAUACgkQ3aDTTO0ha7ji9wCfTj+4cjvLtEpmNI1jhadloy9q
gZEAnRq7AkvKFXt2fLMhOjSWxLwmhKOj
=0Plc
-----END PGP SIGNATURE-----

Attachment: http-slowloris.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Mar 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault