Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Mon, 23 May 2011 01:36:06 +0300

Thank you. This was useful analyses.

On Mon, May 23, 2011 at 12:35 AM, Gutek <ange.gutek () gmail com> wrote:
Hash: SHA1

Le 22/05/2011 16:27, Toni Ruottu a écrit :
Can we/did you do performance testing to compare this with original
slowloris? Maybe just running both a couple of times against the same
target, and comparing the times, would do.

Hard to say. Besides they obviousy share the same core principle, they
work differently mainly because of the monitoring function in the nse
This monitoring function aims to stop the attack when it seems to be
successfull but it doesn't give the exact moment the webserver is down:
it's a matter of timeouts and sockets dying. The original perl script is
blind and attacks "forever".

The original perl script also proposes some "expert" tuning options that
are not implemented in the nse (delay between concurrent connections,
timeout measurement to feed "on the edge" during the attack, etc.).
Against specific targets they make the original script obviously more
efficient, but I think a nse script doesn't need them : we are in the
case where a proper third party tool is better than a complex nmap
command line with a bunch of script-args.

If I would have to give a comparison, I would say that, like most of the
nse scripts, the original tool is better for a specific attack and the
nse version is more usefull to test and report a potential issue.


Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/


Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]