mailing list archives
Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Henri Doreau <henri.doreau () greenbone net>
Date: Fri, 10 Jun 2011 12:12:53 +0200
2011/6/3 Ange Gutek <ange.gutek () gmail com>:
Thank you for those valuable advices. With a (huge) late, here is a fixed
thanks for this new version. I have tested and reviewed it. Please
find attached a slightly modified version with the following changes:
- fixed a couple typos
- renamed doHalfhttp -> doHalfHTTP
- fixed indentation
- used host.targetname (if available) instead of host.ip. This can
have an impact on HTTP systems
- the stdnse.print_verbose function makes unnecessary the "if
nmap.verbosity() > X" checks. I think that stdnse.print_debug would
fit even better here (and took the freedom to replace with this one).
- Used stdnse.parse_timespec to parse http-slowloris.timeout to keep
it consistent with other time specification parameters. Also moved
this to the action function so that it's only executed once.
- added DEFAULT_TIMEOUT and MAX_ATTACK_THREADS constants to replace
- removed unused variable "last_message"
- removed variable "count" in doHalfHTTP. Maybe I'm just missing
something but I can't see why not simply operating on the "Threads"
variable. And don't we have a race condition here?
local count = Threads -- Threads is shared between all threads
count = count + 1
Threads = count -- Threads might have changed and its value would then
be overwritten there?
I am not entirely sure as NSE threads aren't real native threads.
Could someone review the accesses to shared variables?
I also have some suggestions:
- it would be nice if the script could handle a global timeout, and
give up if the server is still vulnerable after this time.
- also report results for non-vulnerable servers.
- maybe manually catch errors instead of using the try/catch system,
in order to avoid having all these stacktraces and errors displayed
when connections die or fail?
- what about using the nmap user agent?
Finally, I sometimes have the following error at the end of the
execution but lack time to investigate it further:
nmap --script http-slowloris-orig -p80 --max-parallelism 300 -vvv -dd
NSE: Finished 'http-slowloris' worker (thread: 0x801a5b500) against
NSE: Script Engine Scan Aborted.
An error was thrown by the engine: ./nse_main.lua:298: attempt to
index field '?' (a nil value)
./nse_main.lua:298: in function 'close'
./nse_main.lua:848: in function 'run'
./nse_main.lua:1133: in function <./nse_main.lua:1052>
Have you also seen this one?
Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/