Disclaimer: This post is for research and educational purposes only. I do not take any responsibility, in regards to the actions taken by readers of this article. Never attempt to hack a device for which you do not have the required permissions to do so.
What is a Denial of Service Attack?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable.
What is a Slowloris attack?
Slowloris is an application layer attack which operates by utilizing partial HTTP requests. The attack functions by opening connections to a targeted Web server and then keeping those connections open as long as it can. Slowloris is a specific attack tool designed to allow a single machine to take down a server without using a lot of bandwidth. Unlike bandwidth-consuming reflection-based DDoS attacks such as NTP amplification, this type of attack uses a low amount of bandwidth, and instead aims to use up server resources with requests that seem slower than normal but otherwise mimic regular traffic. It sends partial packets, instead of corrupted ones, traditional intrusion detection systems are not particularly effective at detecting this type of attack. These attacks can go on for an extended period of time if they remain undetected. Even when sockets that have been attacked time out, Slowloris will attempt to reinitiate the connection until it achieves its goal of completely overwhelming the server.
Proof Of Concept (with the help of Mr Carlos Delgado)
1. Install slowhttptest
The Slowhttptest library is available from the repositories, so you can easily install it from the command line with the following command:
# update repos first sudo apt-get update # Install the tool sudo apt-get install slowhttptest
2. Running test
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.
Slow Read DoS attack aims the same resources as slowloris and slow POST, but instead of prolonging the request, it sends legitimate HTTP request and reads the response slowly. The command to run the attack to check if the server is the following one:
Note that this will make the server hang if there’s not protection against this attack implemented on the target server.
slowhttptest -c 500 -H -g -o ./output_file -i 10 -r 200 -t GET -u http://yourwebsite-or-server-ip.com -x 24 -p 2
The command is described as next:
-c: Specifies the target number of connections to establish during the test (in this example 500, normally with 200 should be enough to hang a server that doesn’t have protection against this attack).
-H: Starts slowhttptest in SlowLoris mode, sending unfinished HTTP requests.
-g: Forces slowhttptest to generate CSV and HTML files when test finishes with timestamp in filename.
-o: Specifies custom file name, effective with
-i: Specifies the interval between follow up data for slowrois and Slow POST tests (in seconds).
-r: Specifies the connection rate (per second).
-t: Specifies the verb to use in HTTP request (POST, GET etc).
-u: Specifies the URL or IP of the server that you want to attack.
-x: Starts slowhttptest in Slow Read mode, reading HTTP responses slowly.
-p: Specifies the interval to wait for HTTP response onprobe connection, before marking the server as DoSed (in seconds).
Now if we run the command with the target server, we get a similar output in the terminal:
As you can see, our target is our own website, however even with 500 connections, our server doesn’t hang at all because we do have protection against this kind of attacks. The service available will be always YES if the target is reachable. You can test with another computer/network if the website is still up indeed. The generate output in HTML created by our options, will be the following one:
But, what if we disable the protection against Slow HTTP attacks in our server? Well, the output should be different and the website on the target server won’t be reachable:
Don’t trust always the service available message, just try accessing the real website from a browser and you will see if it works or not. The generated output this time is different because of the unreachable website: