Nmap Development mailing list archives

Re: [NSE] http-slowloris

From: David Fifield <david () bamsoftware com>
Date: Tue, 17 Jul 2012 07:55:54 -0700

On Mon, Jul 16, 2012 at 03:26:47PM +0200, Aleksandar Nikolic wrote:

Hi all,

I've just commited the last changes to this script
and I think it's ready.

As the name suggests, it performs a slowloris DoS attack against a
http server.

As the script requires quite a few active connections, in order
for it to work you need to raise NSE's max parallelism setting
by specifying a high --max-parallelism value.
In my tests the appropriate value was 400 to 500, but the more
the merrier.


Nice work, Aleksandar.

I found some surprising behavior when I kill the web server in the
middle of the test.

thttpd -p 8080 -D -l /dev/stdout
./nmap --script=http-slowloris --max-parallelism 400 localhost -p 8080 -d

When I ctrl-C the server, I see a ton of these messages (with the "still
remain" counter decrementing):

NSE: MONITOR:  (monitor on 127.0.0.1): Monitoring has shut down due to lack of response from the webserver.
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, 399 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, 398 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, 397 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!

This goes on and on until finally:

NSE: HALF_HTTP: : lost connection, -623 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, -624 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, -625 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE: HALF_HTTP: : lost connection, -626 still remain
NSE: http-slowloris against 127.0.0.1:8080 threw an error!
NSE Timing: About 99.90% done; ETC: 07:47 (0:00:00 remaining)
NSE Timing: About 99.90% done; ETC: 07:47 (0:00:00 remaining)
NSE Timing: About 99.90% done; ETC: 07:48 (0:00:00 remaining)

And then it appears to hang forever.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] http-slowloris Aleksandar Nikolic (Jul 16)
- Re: [NSE] http-slowloris Gmail Gutek (Jul 16)
  - Re: [NSE] http-slowloris Toni Ruottu (Jul 16)
    - Re: [NSE] http-slowloris Aleksandar Nikolic (Jul 16)
    - Re: [NSE] http-slowloris Arturo 'Buanzo' Busleiman (Jul 16)
- Re: [NSE] http-slowloris David Fifield (Jul 17)
  - Re: [NSE] http-slowloris Aleksandar Nikolic (Jul 17)
    - Message not available
    - Re: [NSE] http-slowloris Aleksandar Nikolic (Jul 17)
    - Re: [NSE] http-slowloris David Fifield (Jul 17)