Slowloris in Action

Filed under Fu (a.k.a Tips), Tools

A few days ago I posted about a tool I had just discovered called Slowloris. Well, I finally had a pentest providing the opportunity to actually use it!

Here is a brief walkthrough on how to use it (please follow my previous blog post for download links):

Step 1: Test for delay

perl slowloris.pl -dns [target] -port [webserver] -test

testing

Step 2: Begin Attack

There are a bunch of options that you can use when you actually do your attack. Slowloris supports HTTPS (-https), HTTPReady bypass (-httpready), and more. There are some very detailed instructions in the perldocs ($ perldoc slowloris.pl). Here was my attack:

perl slowloris.pl -dns [target] -port 80 -timeout 500 -num 500 -tcpto 5 -httpready
  • -dns : the target
  • -port : the port the webserver is running on
  • -timeout: this is the timeout delay for each thread. It will wait this long before reacquiring tcp space on the server. This value is discovered using the -test flag from step 1.
  • -num : number of sockets to use to get connections. The documentation says most apache servers will require a value of 400-600. Some others may be as low as 300 depending on the configuration.
  • -tcpto : TCP Timeout. In some cases your threads will have resource issues. Keeping this value as exact as possible (as well as the -num value) will improve performance. the default used during the test is 5; I have found that to be sufficient.
  • -httpready: HTTPReady is used by apache to buffer connections. You can bypass this protection by sending POST requests instead of GET or HEAD. That is exactly what this switch does.

attack

After a tiny little wait, the web server wouldn’t respond to HTTP requests. Beautiful!

10 Comments

  1. Michael L. says:

    Hi,
    I am not a pen tester, but I enjoy reading regarding security. It is not clear to me why SlowLoris is a pen testing tool. My understanding is that the point of pen testing is to identify vulnerabilities that a hacker could use to attack a client, so that the client can then bolster his defenses to protect himself from the discovered vulerabilities. However, SlowLoris would seem to *always* be successful eventually in causing a DoS on the web server. So I don’t see the value of using SLowLoris in a pen test, since every client’s web site would eventually succumb to it. And how would the client use that info to improve his security? So it would seem to me that SlowLoris is only useful as a hacking tool for a malicious person who wants to inflict DoS against a victim.
    I’d appreciate reading your thoughts on this.
    -Michael

  2. Jose Luis says:

    I run this command

    perl slowloris.pl -dns http://www.blablablabla.bla -port 80 -timeout 500 -num 500 -tcpto 5 -httpready

    from 3 servers at same time

    ping result

    Respuesta desde 178.33.119.50: bytes=32 tiempo=37ms TTL=54
    Respuesta desde 178.33.119.50: bytes=32 tiempo=41ms TTL=54
    Respuesta desde 178.33.119.50: bytes=32 tiempo=39ms TTL=54
    Respuesta desde 178.33.119.50: bytes=32 tiempo=39ms TTL=54
    Respuesta desde 178.33.119.50: bytes=32 tiempo=37ms TTL=54
    Respuesta desde 178.33.119.50: bytes=32 tiempo=36ms TTL=54
    Respuesta desde 178.33.119.50: bytes=32 tiempo=35ms TTL=54
    Respuesta desde 178.33.119.50: bytes=32 tiempo=38ms TTL=54

    and web server works fine afet 2400 packets …..

    its the server secure from dos attak?

  3. Henry says:

    Hi Skyler

    I find your website very helpful however I cant run the pearl in my cmd

    Everytime I try to run

    perl slowloris.pl -dns [target] -port [webserver] -test

    It says “cant open perl script no such a file or directory”
    Could you help please

    Regards,

    Henry

    • Skyler says:

      Hey Henry,

      Thanks for the comment! It sounds like your pretty new with Linux. Im gonna suggest doing a quick bir of research on how to navigate through file structures/file locations. You should be able to see what is wrong in your command after that. However, please be careful when using this tool. Use it only on servers you are approved to do it on, and at no time use it maliciously.

      thanks and best of luck!

  4. drazen says:

    hi Skyler,

    i m trying to pentest an apache2 on ubuntu12 virtualbox using slowloris. but i dont know how to give a domain name to my site so i can attack it with slowloris.please help

    • Skyler says:

      Generally you dont need to attack a server with Slowloris of which you have white box information on. However, you should be able to use an IP address rather than a FQDN. However, if for some reason its not working, I would try making a static entry within your hosts file to point from some trivial name (i.e vulnserver.test) to whatever IP address it resides at. That should solve it.

  5. drazen says:

    thats in /etc/hosts ??? could i do the test to the default apache site or should i create a new one??
    thanks for the help

Post a Comment

You must be logged in to post a comment.

css.php
More in Fu (a.k.a Tips), Tools (44 of 85 articles)