Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Gutek <ange.gutek () gmail com>
Date: Sat, 30 Apr 2011 09:59:12 +0200

Hash: SHA1

Le 29/04/2011 20:36, David Fifield a écrit :
I tried this against Apache and thttpd and it seems to get to 22
connections and then nto make any more progress, and the server remains
responsive? What do you recommend I should try to make this test work?
I attach Nmap and thttpd logs.

David Fifield
The slowloris attack is based on memory consumption or exhaustion of
allowed connexions (MaxClients argument inside httpd.conf, often set on
shared hosting solutions for example)

The memory consumption condition is a problem when attacking a home test
sever, as in this scenario the webserver has gigas to handle the load
and so has nearly no ressources limit.
Conditions and ressources available are very different when dealing with
dedicated hosts, virtual private servers or shared hosting (I do my
tests against my own weakened vps abroad). In a sense they are weaker
than a home test server because they are more exposed to heavy load with
lower ressources allowed.
That's why they try to protect those ressources against such attacks
with load balancers, iptables rules and configuration rules (MaxClients,
MaxKeepAliveRequests, KeepAliveTimeout )

In your test it seems that, although being unsuccessfull, the server was
stressed enough to slow down by about 2200%. However, the attack load
was insufficient due to the low number of concurrent connexions (22).

And here comes my big problem: until then, I did not notice that this
number was, in fact, stuck at this number and never more !

I have done several other tests since yesterday and compared the streams
with wireshark between the original slowloris.pl and my nse script: they
both send exactly the same payloads...except that slowloris.pl goes
beyond the 22 connexions. I can't explain why.

In case an expert is kind enough to find an explanation, I'm attaching
both the script and the original slowloris.pl

Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/


Attachment: slowloris.pl

Attachment: http-slowloris.nse

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]