Demonstrating a slowloris attack on apache server using Python

Asked

Viewed 1,251 times

14

I have the network dump (file in PCAP format captured with tcpdump) of a "chat" between the attacked server (Apache web server: 192.168.1.2) and the malicious clients: PCAP

The attack was a simulation in a denial-of-service lab with slowloris.

I already know that the attack was effective because the apache logs (error.log) contains the code 403 (timeout).

I wish to show that this (denial of service) was occasioned by slowloris.

I thought of using the script in the PCAP file:

attack_measure.py

whose exit will be:

print("0 envio e recepção balanceados.")
print("+1 todos os pacotes estão sendo enviados ao servidor.")
print("-1  todos os pacotes estão sendo enviados pelo servidor.")
print("Um número positivo muito grande indica que o servidor parou de responder.")

You think it’s a good approach?

What should I check in the PCAP to ensure that the denial of service was due to slowloris apache full buffer (or TCP WINDOW)?

I read articles where they said the attack slowloris was only for Apache (error 408:timeout) but I ran against IIS 8 and it worked (error 404). Slowloris exploits the Handshake on TCP using small window size, right? That is, it exploits PROTOCOL and not just application. Agree?

python apache security-guard ddos
  • 1

    Looking at the window is always an excellent idea in slowloris attacks you will notice windows with the same size every time, another feature you will notice will be a hole in the log a few milliseconds followed by a large amount of simultaneous connections, this usually follows a pattern, can be observed in Sniffer and be classified as a slowloris type attack ...

  • @ederwander: I read articles where it said that slowloris was only for Apache but I ran against IIS and it worked. Slowloris exploits Handshake on TCP using small window size, right? That is, it exploits PROTOCOL and not just application. Agree?

  • Under IIS, it works yes, but is much less effective, usually the attacking machine should be able to create many thousands of requests while apache 1ou2 would be easier to execute a successful attack.

1 answer

12

The approach is correct, the script is also.

But I would start from something a little more robust like:

Slowloris.py

https://github.com/gkbrk/slowloris

Basically an HTTP denial of service attack that affects thread servers. It works like this:

  1. Starts by making many HTTP requests.
  2. Sends headers periodically every 15s p/ keep connections open.
  3. Never close the connection unless the server does. If the server closes a connection, Slowloris creates one again.
  4. In theory this depletes the pool of server threads and the server cannot respond to other people.

Or Pyloris the most famous in the Python community https://sourceforge.net/projects/pyloris/files/pyloris/

The difference from the above is that Pyloris can use SOCKS proxies and SSL connections and can target protocols such as HTTP, FTP, SMTP, IMAP and Telnet.

In addition to a beautiful UI made in Tkinter.

Because the denial of service through the Slowloris technique, although very interesting technically it is not very effective.

Since most Servers can handle incomplete requests well with the IIS case.

EDIT: Incomplete would be the wrong term, as many slowloris tools make complete and valid requests, just try to keep that connection open.

Then IIS would be invulnerable?

As far as I know IIS is not invulnerable, but it is very difficult an attack like this. the Band of the attacker and resources of the attacker will have to be equal of the attacked. Just the opposite of what Slowloris wants. Note that in attacks against IIS the system needs to keep recreating packages, since the same one gives a timeout. Nginx and Squid also enter as difficult to be attacked with this technique.

Update: After a few years, I tested the tool again against my internal IIS 10 server (Windows 2016 Standard) and after 6000 requests the same was quiet without any problem. NOTE: Without having made any extra configuration in it, it was installed as default, since it is the internal server here of the company.

Against whom it is effective?

It is very effective in Apaches old versions 1.x and 2.x And some other types of servers that are already in disuse or obsolete.

Note that all today’s Ddos techniques no longer use this technique, which although sophisticated is no longer effective, today’s Ddos are in brute force.

Keeping the log of the attack

You can store the output from slowloris.py to check every time it gives 403, thus confirming the successful attack. be through the storage of the log or Logging.debug.

  • I know it runs a little outside the scope of the question but how would this brute force attack? How is it different from the one you explained?

  • 4

    brute force is to make more requests that the server can handle with multiple devices.. And it’s real requisitions, like the IRS, it goes down in income tax times, a lot of people accessing it. And you can’t deny these requests because they’re real and from different machines. The biggest attack of what I saw was last year with 1 billion devices (60% being ips cameras that were hacked and left as zombie) In addition to thousands of pcs, they all synchronized that on such a day such an hour would access a site

  • Oh yes I understood, thanks for the explanations :D

Browser other questions tagged python apache security-guard ddos

You are not signed in. Login or sign up in order to post.