Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Ron <ron () skullsecurity net>
Date: Fri, 17 Jun 2011 12:00:14 -0500

Scripts that check whether a server stops responding tend to be prone to false positives. So make sure you're careful 
on the output. 

(I haven't completely read the discussion, so you may have already talked about that - just wanted to be sure)

Ron

On Sun, 20 Mar 2011 07:51:49 +0100 Gutek <ange.gutek () gmail com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

As requested on the NSE Wiki (
https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris ), here is a
draft for a script triggering the Slowloris denial of service attack.
As a draft, currently it just launches the attack without taking care
whether it's a success or not, hence this draft will not produce any
output and will run 'forever'. Monitoring is made with the debugging
option (-d).

Script header:
- -------------------
description = [[
Tests a webserver against the Slowloris DoS attack, as it was
described at Defcon 17 by RSnake
(see http://ha.ckers.org/slowloris/)

This script opens and maintains numerous 'half-http' connections until
the webserver runs out of ressources,
leading to a denial of service.
When the DoS condition is met the script then stops the attack and
returns the payload datas as they could be usefull to tweak further
filtering rules:
- - Time taken until DoS
- - Number of threads used
- - Number of queries sent (or: amount of datas sent, in bytes)

TODO
o Add a stopping mechanism
  + reserve a thread to monitor the webserver from time to time. If
not responding, then stop.
o Analyze the threads: if the number of effective connections is lower
than required by the script, maybe notify of a potential filtering
rule ahead.
o Add user-supplied arguments:
  + threads, the max number of concurrent connections on the target:
on Windows it seems to be limited to 130
  + timeout, time to wait before sending new http header datas in
order to maintain the connection. Defaults to 100 seconds, but could
be measured as slowloris.pl does

]]

- ---
- -- @usage
- -- nmap --script http-slowloris --script-args
http-slowloris.threads=500 http-slowloris.timeout=200 <target>
- --
- -- @args http-slowloris.threads The max number of concurrent
connections on the target: on Windows it seems to be limited to 130.
- -- @args http-slowloris.timeout Time to wait before sending new http
header datas in order to maintain the connection. Defaults to 100
seconds.
- --
- -- () output
- -- 80/tcp  open   http    syn-ack
- -- |  http-slowloris: Target was DoSed:
- -- |  the attack took <time> to succeed
- -- |  with <threads> concurrent connections
- -- |_ with <queries||bytes> sent

As you can see at this time the script is pretty simple with just,
say, the main core. I think it's the best moment to call for
contributors, as it's still easy to understand.
So...anyone wants to help ? _o/

Regards,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2FpAUACgkQ3aDTTO0ha7ji9wCfTj+4cjvLtEpmNI1jhadloy9q
gZEAnRq7AkvKFXt2fLMhOjSWxLwmhKOj
=0Plc
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]