Posts tagged Slowloris

R-U-Dead-Yet? – Universal HTTP Denial-of-Service

0

This isn’t a R.U.D.Y script, (although A(A)A do have something in development) but a Power Point presentation by Hybrid Security that briefly explains R-U-Dead-Yet?, (aka R.U.D.Y) and compares it to Slowloris.

 

Download link: http://www.megaupload.com/?d=77BD75AA

 

 

>Stopping a Web Server with Slowloris in Ubuntu

0

>

  1. Start Ubuntu.
  2. Open a browser and go to this URL:  ‘http://ha.ckers.org/slowloris
  3. Scroll down to the bottom of the page and right click, the slowloris link ‘save link as’ and save the file to your desktop.
  4. Open another tab and type in your targets URL so you can reload it again later and get lulz when you see it’s down.
  5. Open a terminal and type this command: cd Desktop and hit enter. This moves the working directory to your desktop.
  6. Then type in your terminal: sudo apt-get install perl-doc and enter your password when prompted. This installs the Perl documentation module you’ll need to see the Slowloris help page. Wait while the packages download and install.
  7. Then type this command, (all in one line) and press enter: sudo get-apt install libhtml-parser-perl libio-socket-ssl-perl
  8. When ask yes/no type Y and press enter, this installs some libraries for Slowloris.
  9. Again type another command, this time: perldoc slowloris.pl and hit enter. This will show the documentation for Slowloris. I usually type Crtl+X+Y=enter to save it as a record but if you like you can just scan it and type Crtl+X to get rid of it.
  10. The only way I know to use Slowlorisis a DNS name. So type this command in the terminal and hit enter: cd /etc This moves the working directory to /etc.
  11. In the terminal window type: sudo cp hosts hosts.bak and enter password if requested. This makes a backup copy of the hosts file incase you fuck up, (ya never know).
  12. In terminal type this: sudo nano hosts and hit enter.
  13. The hosts file should open in the nano text editor, add a line containing the IP address of your target and the DNS name – (example.com). Save your changes, Crtl+X+Y+enter.
  14. Then type cd in the terminal and hit enter. This moves the working directory to your home direrctory.
  15. Then type cd Desktop and hit enter, this moves the working directory to your desktop.
  16. Next you should type sudo perl slowloris.pl -dns example.com -port 80 -test hit enter and password if requested. This tests the server to see what it’s timeout window is.
  17. Wait until the test finishes, it will take several minutes. When it’s done it will tell you what timeout value to use….something along the likes of ‘Use 240 seconds for -timeout’.
  18. In the terminal window type, (all one line) sudo perl slowloris.pl -dns example.com -port 80 -timeout 240 -num 500 -tcpto 5 This performs the actual attack, if your time out test told you to use another timeout value use that.
  19. In your browser window reload the target page and you should see an error message that the server is unavailable. The attack has made the target site unavailable to all users. Lulz!
  20. To stop the attack just type Ctrl+C.
  21. The page should load again straight away, and to attack again just repeat whenever you like and really piss ‘em off.
This will also work on other servers but at posting Apache is the only one I have personally tested it on. See ‘http://ha.ckers.org/slowloris

p { margin-bottom: 0.21cm; }

>SlowLoris

2

>

This is the tool as far as I’m concerned…….this fucker MELTS shit! 

(lifted from the excellent blog site ‘ha.ckers’: http://ha.ckers.org/
that unfortunately stop posting in December 2010)

Welcome to Slowloris – the low bandwidth, yet greedy and poisonous HTTP client!
Written by RSnake with help from John Kinsella, and a dash of inspiration from Robert E Lee.
UPDATE 2: Video presentation of Slowloris at DefCon (the middle section of the presentation) can be seen here: Hijacking Web 2.0 Sites with SSLstrip and SlowLoris — Sam Bowne and RSnake at Defcon 17.
UPDATE: Amit Klein pointed me to a post written by Adrian Ilarion Ciobanu written in early 2007 that perfectly describes this denial of service attack. It was also described in 2005 in the “Programming Model Attacks” section of Apache Security. So although there was no tool released at that time these two still technically deserves all the credit for this. I apologize for having missed these.
In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools.
Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.
Slowloris also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host. But most importantly, while the attack is underway, the log file won’t be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might watching in that instant. Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That’s unavoidable as Slowloris sits today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but Slowloris doesn’t yet do that.
HTTPReady quickly came up as a possible solution to a Slowloris attack, because it won’t cause the HTTP server to launch until a full request is recieved. This is true only for GET and HEAD requests. As long as you give Slowloris the switch to modify it’s method to POST, HTTPReady turns out to be a worthless defense against this type of attack.
This is NOT a TCP DoS, because it is actually making a full TCP connection, not a partial one, however it is making partial HTTP requests. It’s the equivalent of a SYN flood but over HTTP. One example of the difference is that if there are two web-servers running on the same machine one server can be DoSed without affecting the other webserver instance. Slowloris would also theoretically work over other protocols like UDP, if the program was modified slightly and the webserver supported it. Slowloris is also NOT a GET request flooder. Slowloris requires only a few hundred requests at long term and regular intervals, as opposed to tens of thousands on an ongoing basis.
Interestingly enough, in testing this has been shown in at least one instance to lock up database connections and force other strange issues and errors to arise that can allow for fingerprinting and other odd things to become obvious once the DoS is complete and the server attempts to clean itself up. I would guess that this issue arises when the webserver is allowed to open more connections than the database is, causing the database to fail first and for longer than the webserver.
Slowloris lets the webserver return to normal almost instantly (usually within 5 seconds or so). That makes it ideal for certain attacks that may just require a brief down-time. As described in this blog post, DoS is actually very useful for certain types of attacks where timing is key, or as a diversionary tactic, etc….
This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion – fixing one problem created another. This includes but is not necessarily limited to the following:

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer
  • WebSense “block pages” (unconfirmed)
  • Trapeze Wireless Web Portal (unconfirmed)
  • Verizon’s MI424-WR FIOS Cable modem (unconfirmed)
  • Verizon’s Motorola Set-Top Box (port 8082 and requires auth – unconfirmed)
  • BeeWare WAF (unconfirmed)
  • Deny All WAF (unconfirmed)

There are a number of webservers that this doesn’t affect as well, in my testing:

This is obviously not a complete list, and there may be a number of variations on these web-servers that are or are not vulnerable. I didn’t test every configuration or variant, so your mileage may vary. This also may not work if there is an upstream device that somehow limits/buffers/proxies HTTP requests. Please note though that Slowloris only represents one variant of this attack and other variants may have different impacts on other webservers and upstream devices. This command should work on most systems, but please be sure to check the options as well:
perl slowloris.pl -dns example.com
Requirements: This is a Perl program requiring the Perl interpreter with the modules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long. Slowloris works MUCH better and faster if you have threading, so I highly encourage you to also install threads and threads::shared if you don’t have those modules already. You can install modules using CPAN:

perl -MCPAN -e ‘install IO::Socket::INET’
perl -MCPAN -e ‘install IO::Socket::SSL’ 

Windows users: You probably will not be able to successfuly execute a Slowloris denial of service from Windows even if you use Cygwin. I have not had any luck getting Slowloris to successfuly deny service from within Windows, because Slowloris requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits sockets to around 130, from what I’ve seen. I highly suggest you use a *NIX operating system to execute Slowloris from for the best results, and not from within a virtual machine, as that could have unexpected results based on the parent operating system.
Version: Slowloris is currently at version 0.7 – 06/17/2009
Download: slowloris.pl
Getting started: perldoc slowloris.pl
Issues: For a complete list of issues look at the Perl documentation, which explains all of the things to think about when running this denial of service attack.

Go to Top
This site is part of the Network23 network of free blogs.