On the 7th day … God began debugging.Anonymous
Since our last tutorial was on lbd ( load balancing detector), i thought it would be appropriate if i followed up with a tutorial on slowloris.pl. We will perform a basic run through of its various functions, tuning capabilities and finally try and bring down a small vulnerable server with a layer 7 DoS attack. I strongly advise you to understand the workings in your head before you proceed. Otherwise the success of your attack will be left to luck & hope.
You may download the PDF version of this tutorial here.Download as PDF
What is Slowloris? :
It is an extremely cute and endangered species that is also poisonous.
( Your attack wont work unless you memorize the whole wiki article, you have been warned).
Download Slowloris here
Slowloris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris : Slowloris will attempt to initiate a multipart HTTP request with the web server. Though it is a multipart request, slowloris will only sends a single request and stops there after without sending the rest of the packets..
Web Server Reaction : Upon receiving the single request from slowloris, the web server will wait a certain duration for the remaining packets. If the remaining packets are not received, then the web server will free the socket by closing the connection.
Objective of Slowloris : Since web servers have a certain number of sockets available, slowloris will attempt to exploit that by consuming as much or if not all the available resources by the half HTTP request it sends out. This in return will cause a DOS on the web server and the site will go down to general public.
Slowloris Switches :
-test : This switch will help you test the web server time out mode, it is not accurate but it will give you a rough number.
-tcpto : TCP time out switch.
-num : This switch declares the number of sockets.
-port : This switch declares the desired port.
-timeout : This switch declares the desired timeout.
-shost : If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable.
-httpready : HTTPReady was a “solution” that came up to prevent a Slowloris attack, because it won’t allow the HTTP server to launch until a full request is received by the web server. But unfortunately for them this only applies for GET and HEAD requests. So by using the -httpready switch, slowloris will bypass any httpready defense by sending POST request instead of GET or HEAD.
-cache : Some caching servers may look at the request path part of the header so by sending different request each time we can abuse more resources. This is a very useful option BUT according to RSnake this option has not been fully tested. It can still be used but your results may vary.
-https : This switch is used for slowloris to support SSL/TSL on an experimental basis. I wont be going through this as the author has stated that it is unstable and has had negative test results.
Part 1 : Load Balancing detection test on target.
1) Please refer to the lbd ( load balancing detector) tutorial Take your time and read through it thoroughly before proceeding to test your target. The objective is to make sure our target server is not using load balancers to distribute their workload over various systems.
2) And as you can see from the image below, my target is NOT using load balancing. This was sometime ago, they might have fixed it.
Part 2: Web firewall application (WAF) detection :
1) To check if your target is hiding behind a firewall, follow the instructions
Part 3 : Slowloris :
If you dont already have slowloris then follow the instructions below :
1) Firstly load up your kedit text editor.
3) Save the new file to your desktop as slowloris.pl
4) Congratulations, you are now the proud owner of a slowloris.
Slowloris time out test :
In this demonstration we will use the -test switch to test our targets time out windows, it wont give an accurate prediction but one that is close enough. With this knowledge we can then tune slowloris to use specific time out windows in its attack. This is advantageous because the closer you get to the correct number of sockets, the less amount of tries you will need, which also means the less wasted bandwidth.
1) Open a terminal and drag your slowloris.pl onto it and press enter.
2) Now the syntax to test your domain is : slowloris.pl -dns <target> -port 80 -test .
3) And as you can see from the result in the image below, i have got myself a real weak web server.
4) Now with the time out result given to me in the above image, i will attempt the syntax : slowloris.pl -dns <target> -port 80 -timeout 30 -num 300 -httpready . Press enter and allow slowloris to initiate connection to the sockets.
-port 80 : declaring the http port
-timeout : The author suggested that if you receive a time out of 3000 on your test, then in your attack use a time out of 2000 with a -tcpto 5 switch set as the tcp time out switch.
-httpready : Request solaris to send POSTrequest instead of GET & Head request. This is to bypass http ready defense in the event your target has one set up.
-num : declaring the number of sockets. Once again i am going to quote the author here :
Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available – this would be solved by threading, but that’s for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful.- RSnake
5) And after a short while of waiting, the terminal shown below will be presented to you. As stated there, slowloris has sent 200++ packets successfully, this thread is now sleeping for 30 seconds. This is slowloris sending a partial request and causing the web server to stay busy waiting for the remaining packets. After a given period when the remaining packets dont arrive, the web server will close this particular connection and free the socket once again.
6) Next i open up my browser and direct myself to the target url and shown below, its down. To be sure i viewed this from another computer and it was down 85% of the time.
8) Now the final and most important part! Sit back, light a joint and try to visualize the workings of slowloris in your head. Trust me on this Imagine the request, the server response, time out response, try and visualize how it works in your head. It helps alot!
Experimentation Mode :
Here are samples of my other test results :
1) All credits to the author RSnake
2) This will only attack the web service and not the rest of the server. Also this will not work on 99% of the servers out there as they will have some form of security measure other then load balancing. It could be anything from IPS, firewall, proxies.
3) Do experiment around with the switches i did not go through, such as -cache, -https etc etc.
4) This is for educational purposes only
5) Do NOT harm the innocent.