I have the network dump (file in PCAP format captured with tcpdump) from a "conversation" between the attacked server (Apache web server: 192.168.1.2) and the malicious clients:
Theattackwasalaboratorysimulationofdenialofservicewithslowloris.
Iknowtheattackwaseffectivebecauseinthelogsofapache(error.log)thecodeis403(timeout).
Iwanttoshowthatthis(denialofservice)wascausedbyslowloris.
IthoughtaboutusingthescriptinthePCAPfile:
attack_measure.py
whose output will be:
print("0 envio e recepção balanceados.")
print("+1 todos os pacotes estão sendo enviados ao servidor.")
print("-1 todos os pacotes estão sendo enviados pelo servidor.")
print("Um número positivo muito grande indica que o servidor parou de responder.")
Do you find a good approach?
What should I check in PCAP to ensure that the denial of service was due to the slowloris full apache buffer (or TCP WINDOW)?
I read articles where they said that the slowloris attack was just for Apache (error 408: timeout) but I ran against IIS 8 and ran (error 404). Slowloris exploits the handshake on TCP using small window size, right? That is, it exploits PROTOCOL and not just application. Do you agree?