Demonstrating a slowloris attack on apache server using Python

15

I have the network dump (file in PCAP format captured with tcpdump) from a "conversation" between the attacked server (Apache web server: 192.168.1.2) and the malicious clients:

Theattackwasalaboratorysimulationofdenialofservicewithslowloris.

Iknowtheattackwaseffectivebecauseinthelogsofapache(error.log)thecodeis403(timeout).

Iwanttoshowthatthis(denialofservice)wascausedbyslowloris.

IthoughtaboutusingthescriptinthePCAPfile:

attack_measure.py

whose output will be:

print("0 envio e recepção balanceados.")
print("+1 todos os pacotes estão sendo enviados ao servidor.")
print("-1  todos os pacotes estão sendo enviados pelo servidor.")
print("Um número positivo muito grande indica que o servidor parou de responder.")

Do you find a good approach?

What should I check in PCAP to ensure that the denial of service was due to the slowloris full apache buffer (or TCP WINDOW)?

I read articles where they said that the slowloris attack was just for Apache (error 408: timeout) but I ran against IIS 8 and ran (error 404). Slowloris exploits the handshake on TCP using small window size, right? That is, it exploits PROTOCOL and not just application. Do you agree?

    
asked by anonymous 08.05.2017 / 13:55

1 answer

12

The approach is correct, so is the script.

But I would start from something a bit more robust like:

Slowloris.py

link

Basically an HTTP denial of service attack that affects thread servers. It works like this:

  • Starts making many HTTP requests.
  • Send headers periodically every 15 seconds to keep the connections open.
  • Never close the connection unless the server does. If the server closes a connection, Slowloris creates one again.
  • In theory this exhausts the thread pool servers and the server can not respond to other people.
  • Or PyLoris the most famous in the Python community link

    The difference from the above is that PyLoris can use SOCKS proxies and SSL connections and can target protocols such as HTTP, FTP, SMTP, IMAP and Telnet.

    In addition to a beautiful UI made in Tkinter.

    For denial of service through the technique Slowloris, although very interesting technically it is not very effective.

    Since most servers can cope well with incomplete requests with the IIS case.

    EDIT : Incomplete would be the wrong term, since many slowloris tools make complete and valid requests, just try to keep that connection open.

    Then IIS would be invulnerable?

    As far as I know, IIS is not invulnerable, but it is very difficult to attack. the attacker's band and attacker resources will have to be the same as the attacker's. Just the opposite of what Slowloris intends. Note that in attacks against IIS the system needs to recreate packets, since it has a timeout. nginx and Squid also come in as difficult to attack with this technique.

    Update : After a few years, I tested the tool again against my internal IIS 10 server (Windows 2016 Standard) and after 6000 requests it was quiet, no problem. NOTE: Without having done any extra configuration on it, it was installed as default, since it is the internal server here.

    Who is effective?

    It is very effective in Apaches old versions 1.x and 2.x And some other types of servers that are already deprecated or obsolete.

    19.05.2017 / 20:54