From charlesreid1

The SlowLoris attack is a Denial of Service DoS attack on HTTP servers.

SlowLoris DoS Attack

SlowLoris that opens a (large) fixed number of connections to send a payload of a specified size, then proceeds to twiddle its thumbs.

Slowloris is basically an HTTP Denial of Service attack that affects threaded servers.

We start making lots of HTTP requests.

We send headers periodically (every ~15 seconds) to keep the connections open.

We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.

This exhausts the servers thread pool and the server can't reply to other people.

This is the computer networking equivalent of when you go to the bank, and just before you get to the teller window, a little old lady with a giant sack of pennies says "I'd like to deposit $573 in pennies. 1... 2... 3... 4... 5..." Except, an army of old ladies showing up in front of every teller window.

Slow Death Script

https://github.com/evert/slowdeath

This is a Python script that implements the SlowLoris attack with a fixed number of threads opening connections with the web server. This will completely swamp, e.g., an Apache server on a single machine.

NOTE: there is another tool called slowhttptest capable of performing this style of attack. Nicer frontend, more options. slowdeath is a simple get-it-done PoC Python script.

Before

Here's what you should see before the attack when you punch in the IP address of the Metasploitable machine:

SlowDeath PreAttack.png

(Note that here the machine is at 192.168.56.101 - a set up that corresponds to creating a host-only network adapter for the VirutalBox. That means we'll be creating a network and only virtual machines on the host computer will be able to see the network.)

Running

To use slowdeath:

# python slowdeath.py -t 200 http://192.168.56.101

This will open 200 simultaneous connections and send data very, very slowly over those 200 connections.

During/After

This swamps the server temporarily, and anyone visiting 192.168.56.101 in the browser will experience a denial of service:

SlowDeath DOS.png

This will continue to open new connections as existing connections die:

SlowDeath Reopen.png

Once the attack is killed, everything is back to normal.

Flags

DoS