ClsHack Blog


slowhttptest: Application Layer DoS attack simulator

January 15th, 2012 by clshack


Ho già parlato di tools adatti ad effettuare attacchi dos :)
Ma oggi vediamo,slowhttptest.
Dal sito ufficiale:

SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks.

It implements most common low-bandwidth Application Layer DoS attacks, such as slowlorisSlow HTTP POSTSlow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.

Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.


Vediamo come installarlo su una distribuzione linux debian like come backbox.
Digitiamo:
sudo apt-get install subversion
Scarichiamo slowhttptest:
svn checkout http://slowhttptest.googlecode.com/svn/trunk/ slowhttptest

cd slowhttptest
Installiamo le dipendenze:
sudo apt-get install libssl-dev
Creiamo il makefile:
./configure
Compiliamo:
make
Installiamo:
sudo make install

Ora per avere un help digitiamo:
slowhttptest -h

Un esempio di utilizzo:

Dove:
slowhttptest -c 1000 -X -g -o slow_read_stats -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u https://myseceureserver/resources/index.html -p 3

-X starts Slow Read test with 1000 connections, creating 200 connections per second. Initial SYN packet for every connection would have random advertised window size value between 512 and 1024, and application would read 32 bytes every 5 seconds from each socket’s receive buffer. To multiply overall response size, we use pipeline factor 3 to request the same resource 3 times per socket. Probe connection would consider server DoSed, if no response was received after 3 seconds.

Sito ufficiale:
http://code.google.com/p/slowhttptest/

  • simo

    Praticamente serve per dossare e collassare la connessione della vittima?
    Tipicamente il vecchio dossing irc per fare un takeover dei canali
    o sbaglio?

  • http://shadiwyviper.altervista.org sv

    Ottimo… ma il tipo di dati che scambia e la modalità sono come quelli di slowloris? o meglio, quali server sono vulnerabili?
    grazie

  • clshack_

    @simo && @sv
    si server per buttare giù e rendere in-navigabile un sito web :)

    Come pyloris e derivati ha pregi e difetti,

    questo però sfrutta molte più vulenrabilità dos:
    MS09-048, CVE-2008-4609, CVE-2009-1925, CVE-2009-1926 .

    Comunque qui trovate alcuni test:
    http://code.google.com/p/slowhttptest/