Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Gutek <ange.gutek () gmail com>
Date: Sun, 12 Jun 2011 16:04:49 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 10/06/2011 12:12, Henri Doreau a écrit :
I also have some suggestions:
  - it would be nice if the script could handle a global timeout, and
give up if the server is still vulnerable after this time.
  - also report results for non-vulnerable servers.

I have a problem here with a global timeout to see if a given target is
still (or is not) vulnerable: targets react very differently when facing
this attack, some dying in minutes, some dying in hours. I don't know if
we can define a time beyond which someone can say that a given target
will not collapse.
It's like considering a bridge and say "how many 38T trucks can it
handle ?". We send 1, 2...10 without collapsing, but maybe the 100th
would have crashed it.
So where do I put the global cursor ?
This would require asking the user about the presumed weakness of his
server. For example, if he considers it "weak", then a 10 minutes max
attack would be sufficient to state about this vulnerability. But if he
considers it "strong", the script would have to run maybe a day long to
be sure. But this means defining "weak" and "strong" in terms of
numbers. Not speaking about "blind" conditions when testing an unkown
target.
On the other hand I agree that the attack can not last for ever. I just
can't say "how" (in fact, "when") stop it.

Finally, I sometimes have the following error at the end of the
execution but lack time to investigate it further:
"""
nmap --script http-slowloris-orig -p80 --max-parallelism 300 -vvv -dd
192.168.1.1
<...>
NSE: Finished 'http-slowloris' worker (thread: 0x801a5b500) against
192.168.1.1:80.
NSE: Script Engine Scan Aborted.
An error was thrown by the engine: ./nse_main.lua:298: attempt to
index field '?' (a nil value)
stack traceback:
        ./nse_main.lua:298: in function 'close'
        ./nse_main.lua:848: in function 'run'
        ./nse_main.lua:1133: in function <./nse_main.lua:1052>
        [C]: ?
"""
Have you also seen this one?
Yes, I have also got it. I have to investigate further on it when we
will be done with the script's functionnalities, as it's non blocking by
now.

don't know why, but this famous quote comes to my mind "This is not
mission difficult, Mr. Hunt, it's mission impossible" :)

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk30x4EACgkQ3aDTTO0ha7gRUwCfSHuEdK1OKABaR2oQwblCF2N0
pTYAnA6LUOsswVXU9T3/sr95VG0rPbqC
=z9Kt
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault