Demonstrating a slowloris attack on apache server using Python
I have the network dump (file in PCAP format captured with tcpdump) of a "conversation" between the attacked server (Apache web server: 192.168.1.2) and the malicious clients:
The attack was a laboratory simulation of denial of service with slowloris.
I already know that the attack was effective because in the apache logs (error.log) contains the code 403 (timeout ).
I wish to show that this (denial of Service) it was caused by slowloris .
I thought of using the script in the PCAP file:
Whose output will be:
print("0 envio e recepção balanceados.")
print("+1 todos os pacotes estão sendo enviados ao servidor.")
print("-1 todos os pacotes estão sendo enviados pelo servidor.")
print("Um número positivo muito grande indica que o servidor parou de responder.")
Do you find a good approach?
What should I check in PCAP to ensure that the denial of service was stemming from the slowloris full apache buffer (or TCP WINDOW)?
I read articles where they said the attack slowloris was only for Apache (error 408:timeout) but I ran against IIS 8 and it worked (Error 404). Slowloris exploits the handshake in TCP using small window size, right? That is, it explores protocol and not just application. Do you agree?
1 answers
The approach is correct, so is the script.
But I would start from something a little more robust like:
Slowloris.py
Https://github.com/gkbrk/slowloris
Basically an HTTP denial of service attack that affects thread servers. It works like this:
- starts by making many HTTP requests.
- sends headers periodically every 15s to keep connections open.
- never closes the connection unless the server does. If the server closes a connection, Slowloris creates one again.
- in theory this exhausts the server thread pool and the server cannot respond to other people.
Or pyloris the most famous in the Python community https://sourceforge.net/projects/pyloris/files/pyloris /
The difference from the above is that PyLoris can utilize SOCKS proxies and SSL connections and can segment protocols such as HTTP, FTP, SMTP, IMAP and Telnet.
Plus a beautiful UI made in Tkinter.
Because the denial of service through the Slowloris technique, despite being very interesting technically it is not effective.
Since most servers can handle incomplete requests well with the case of IIS.
EDIT : incomplete would be the wrong term, as many slowloris tool make complete and valid requests, just try to maintain this connection open.
So IIS would be invulnerable?
As far as I know IIS is not invulnerable, but it is very difficult such an attack. the attacker's band and attacker's resources will have to be equal to the attacker's. Just the opposite of what Slowloris intends. See that in attacks against IIS the system needs to be recreating packets, since the same of a timeout. nginx and Squid also come in as difficult to attack with this technique.
Update : after a few years, I tested the tool again against my internal server of IIS 10 (Windows 2016 Standard) and after 6000 requests the same was quiet, without any problems. Note: without having made any extra configuration on it, it was installed as default, since it is the Internal Server here of the company.
Against whom is it effective?
It is very effective in Apache older versions 1.x and 2.twentieth And some other types of servers that are already in disuse or obsolete.
See that all DDoS techniques today no longer use this technique, which although sophisticated is no longer effective, today DDoS are in brute force.
Saving attack log
You can store the output of slowloris.py to check every time it gives 403, thus confirming the successful attack. either through log or Logging.debug storage.