Nmap Development mailing list archives
Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 12 Jun 2011 21:37:42 +0200
On Jun 12, 2011, at 4:04 PM, Gutek wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 10/06/2011 12:12, Henri Doreau a écrit :I also have some suggestions: - it would be nice if the script could handle a global timeout, and give up if the server is still vulnerable after this time. - also report results for non-vulnerable servers.I have a problem here with a global timeout to see if a given target is still (or is not) vulnerable: targets react very differently when facing this attack, some dying in minutes, some dying in hours. I don't know if we can define a time beyond which someone can say that a given target will not collapse. It's like considering a bridge and say "how many 38T trucks can it handle ?". We send 1, 2...10 without collapsing, but maybe the 100th would have crashed it. So where do I put the global cursor ? This would require asking the user about the presumed weakness of his server. For example, if he considers it "weak", then a 10 minutes max attack would be sufficient to state about this vulnerability. But if he considers it "strong", the script would have to run maybe a day long to be sure. But this means defining "weak" and "strong" in terms of numbers. Not speaking about "blind" conditions when testing an unkown target. On the other hand I agree that the attack can not last for ever. I just can't say "how" (in fact, "when") stop it.Finally, I sometimes have the following error at the end of the execution but lack time to investigate it further: """ nmap --script http-slowloris-orig -p80 --max-parallelism 300 -vvv -dd 192.168.1.1 <...> NSE: Finished 'http-slowloris' worker (thread: 0x801a5b500) against 192.168.1.1:80. NSE: Script Engine Scan Aborted. An error was thrown by the engine: ./nse_main.lua:298: attempt to index field '?' (a nil value) stack traceback: ./nse_main.lua:298: in function 'close' ./nse_main.lua:848: in function 'run' ./nse_main.lua:1133: in function <./nse_main.lua:1052> [C]: ? """ Have you also seen this one?Yes, I have also got it. I have to investigate further on it when we will be done with the script's functionnalities, as it's non blocking by now.
I've seen similar stack traces when the main thread exits the action function before the worker threads have all stopped. Don't know if this is the problem here though, I haven't looked close enough through the code.
don't know why, but this famous quote comes to my mind "This is not mission difficult, Mr. Hunt, it's mission impossible" :) A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk30x4EACgkQ3aDTTO0ha7gRUwCfSHuEdK1OKABaR2oQwblCF2N0 pTYAnA6LUOsswVXU9T3/sr95VG0rPbqC =z9Kt -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Ange Gutek (Jun 03)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- Message not available
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- Message not available
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrick Donnelly (Jun 11)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Gutek (Jun 12)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Patrik Karlsson (Jun 12)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 17)
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Henri Doreau (Jun 10)
- <Possible follow-ups>
- Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack Ron (Jun 17)