Nmap Development mailing list archives
Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Henri Doreau <henri.doreau () greenbone net>
Date: Fri, 10 Jun 2011 12:12:53 +0200
2011/6/3 Ange Gutek <ange.gutek () gmail com>:
Thank you for those valuable advices. With a (huge) late, here is a fixed version
Hi Ange, thanks for this new version. I have tested and reviewed it. Please find attached a slightly modified version with the following changes: - fixed a couple typos - renamed doHalfhttp -> doHalfHTTP - fixed indentation - used host.targetname (if available) instead of host.ip. This can have an impact on HTTP systems - the stdnse.print_verbose function makes unnecessary the "if nmap.verbosity() > X" checks. I think that stdnse.print_debug would fit even better here (and took the freedom to replace with this one). - Used stdnse.parse_timespec to parse http-slowloris.timeout to keep it consistent with other time specification parameters. Also moved this to the action function so that it's only executed once. - added DEFAULT_TIMEOUT and MAX_ATTACK_THREADS constants to replace hardcoded values - removed unused variable "last_message" - removed variable "count" in doHalfHTTP. Maybe I'm just missing something but I can't see why not simply operating on the "Threads" variable. And don't we have a race condition here? """ local count = Threads -- Threads is shared between all threads count = count + 1 Threads = count -- Threads might have changed and its value would then be overwritten there? """ I am not entirely sure as NSE threads aren't real native threads. Could someone review the accesses to shared variables? I also have some suggestions: - it would be nice if the script could handle a global timeout, and give up if the server is still vulnerable after this time. - also report results for non-vulnerable servers. - maybe manually catch errors instead of using the try/catch system, in order to avoid having all these stacktraces and errors displayed when connections die or fail? - what about using the nmap user agent? Finally, I sometimes have the following error at the end of the execution but lack time to investigate it further: """ nmap --script http-slowloris-orig -p80 --max-parallelism 300 -vvv -dd 192.168.1.1 <...> NSE: Finished 'http-slowloris' worker (thread: 0x801a5b500) against 192.168.1.1:80. NSE: Script Engine Scan Aborted. An error was thrown by the engine: ./nse_main.lua:298: attempt to index field '?' (a nil value) stack traceback: ./nse_main.lua:298: in function 'close' ./nse_main.lua:848: in function 'run' ./nse_main.lua:1133: in function <./nse_main.lua:1052> [C]: ? """ Have you also seen this one? Regards. -- Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460 Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Attachment:
http-slowloris.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Ange Gutek (Jun 03)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- Message not available
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- Message not available
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrick Donnelly (Jun 11)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Jun 12)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Jun 12)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 17)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- <Possible follow-ups>
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Ron (Jun 17)