Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

[Henri Doreau <henri.doreau () greenbone net>]

2011/6/3 Ange Gutek <ange.gutek () gmail com>:
> Thank you for those valuable advices. With a (huge) late, here is a fixed
> version
Hi Ange,

thanks for this new version. I have tested and reviewed it. Please
find attached a slightly modified version with the following changes:
  - fixed a couple typos
  - renamed doHalfhttp -> doHalfHTTP
  - fixed indentation
  - used host.targetname (if available) instead of host.ip. This can
have an impact on HTTP systems
  - the stdnse.print_verbose function makes unnecessary the "if
nmap.verbosity() > X" checks. I think that stdnse.print_debug would
fit even better here (and took the freedom to replace with this one).
  - Used stdnse.parse_timespec to parse http-slowloris.timeout to keep
it consistent with other time specification parameters. Also moved
this to the action function so that it's only executed once.
  - added DEFAULT_TIMEOUT and MAX_ATTACK_THREADS constants to replace
hardcoded values
  - removed unused variable "last_message"
  - removed variable "count" in doHalfHTTP. Maybe I'm just missing
something but I can't see why not simply operating on the "Threads"
variable. And don't we have a race condition here?
"""
local count = Threads -- Threads is shared between all threads
count = count + 1
Threads = count -- Threads might have changed and its value would then
be overwritten there?
"""
I am not entirely sure as NSE threads aren't real native threads.
Could someone review the accesses to shared variables?


I also have some suggestions:
  - it would be nice if the script could handle a global timeout, and
give up if the server is still vulnerable after this time.
  - also report results for non-vulnerable servers.
  - maybe manually catch errors instead of using the try/catch system,
in order to avoid having all these stacktraces and errors displayed
when connections die or fail?
  - what about using the nmap user agent?


Finally, I sometimes have the following error at the end of the
execution but lack time to investigate it further:
"""
nmap --script http-slowloris-orig -p80 --max-parallelism 300 -vvv -dd
192.168.1.1
<...>
NSE: Finished 'http-slowloris' worker (thread: 0x801a5b500) against
192.168.1.1:80.
NSE: Script Engine Scan Aborted.
An error was thrown by the engine: ./nse_main.lua:298: attempt to
index field '?' (a nil value)
stack traceback:
        ./nse_main.lua:298: in function 'close'
        ./nse_main.lua:848: in function 'run'
        ./nse_main.lua:1133: in function <./nse_main.lua:1052>
        [C]: ?
"""
Have you also seen this one?

Regards.


-- 
Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner

Attachment: http-slowloris.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/