The SlowLoris attack is a Denial of Service DoS attack on HTTP servers.
SlowLoris DoS Attack
SlowLoris that opens a (large) fixed number of connections to send a payload of a specified size, then proceeds to twiddle its thumbs.
Slowloris is basically an HTTP Denial of Service attack that affects threaded servers.
We start making lots of HTTP requests.
We send headers periodically (every ~15 seconds) to keep the connections open.
We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.
This exhausts the servers thread pool and the server can't reply to other people.
This is the computer networking equivalent of when you go to the bank, and just before you get to the teller window, a little old lady with a giant sack of pennies says "I'd like to deposit $573 in pennies. 1... 2... 3... 4... 5..." Except, an army of old ladies showing up in front of every teller window.
Slow Death Script
This is a Python script that implements the SlowLoris attack with a fixed number of threads opening connections with the web server. This will completely swamp, e.g., an Apache server on a single machine.
NOTE: there is another tool called slowhttptest capable of performing this style of attack. Nicer frontend, more options. slowdeath is a simple get-it-done PoC Python script.
Here's what you should see before the attack when you punch in the IP address of the Metasploitable machine:
(Note that here the machine is at 192.168.56.101 - a set up that corresponds to creating a host-only network adapter for the VirutalBox. That means we'll be creating a network and only virtual machines on the host computer will be able to see the network.)
To use slowdeath:
# python slowdeath.py -t 200 http://192.168.56.101
This will open 200 simultaneous connections and send data very, very slowly over those 200 connections.
This swamps the server temporarily, and anyone visiting 192.168.56.101 in the browser will experience a denial of service:
This will continue to open new connections as existing connections die:
Once the attack is killed, everything is back to normal.
HTTP/HTTPS Denial of Servicedenial of service attacks for attacking HTTP and HTTPS servers.
SlowLoris Attack: SlowLoris
Flags · Template:HTTPDoSFlag · e
Denial of Servicedenial of service attacks for denying users access to resources that they are otherwise entitled to access.
DoS at Layers 1 and 2:
CAM Table Overflow/MAC Flood: DoS/Mac Flood
CAM Table Poisoning: DoS/Cam Poisoning
DoS at Layers 3 and 4:
Syn Flood: DoS/SYN Flood
Smurf Attack (Ping Flood): DoS/Smurf Attack
DNS Attacks: DoS/DNS
DNSSmurf Attack: DoS/DNSSmurf
Wormhole Attack: DoS/Wormhole Attack
Black Hole Attack: DoS/Black Hole Attack
Byzantine Attack: DoS/Byzantine Attack
Sleep Deprivation Attack: DoS/Sleep Deprivation Attack
Stale Packets: DoS/Stale Packets
Flags · Template:DoSFlag · e