Slowloris 号称低带宽对服务器进行DDOS攻击

原理就是对WEB服务器发送 不完整的包并且以 单一  \r\n结尾,并不是 完整的HTTP包。造成WEB服务器堵塞达到最大连接数。

官网给出介绍,对以下几种服务器有效:

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer
  • WebSense "block pages" (unconfirmed)
  • Trapeze Wireless Web Portal (unconfirmed)
  • Verizon's MI424-WR FIOS Cable modem (unconfirmed)
  • Verizon's Motorola Set-Top Box (port 8082 and requires auth - unconfirmed)
  • BeeWare WAF (unconfirmed)
  • Deny All WAF (unconfirmed)

以下服务器效果不佳:

  • IIS6.0
  • IIS7.0
  • lighttpd
  • Squid
  • nginx
  • Cherokee (verified by user community)
  • Netscaler
  • Cisco CSS (verified by user community)

官网教程:

__END__

=head1 TITLE

Slowloris

=head1 VERSION

Version 0.7 Beta

=head1 DATE

//

=head1 AUTHOR

RSnake <h@ckers.org> with threading from John Kinsella

=head1 ABSTRACT

Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service.  It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively.  It also keeps the load nice and low on the target server, so other vital processes don't die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons.

=head1 AFFECTS

Apache .x, Apache .x, dhttpd, GoAhead WebServer, others...?

=head1 NOT AFFECTED

IIS6., IIS7., lighttpd, nginx, Cherokee, Squid, others...?

=head1 DESCRIPTION

Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it's threads as they patiently wait for more data.  Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts.  There is an added function to help you get started with finding the right sized timeouts as well.

As a side note, Slowloris does not consume a lot of resources so modern operating systems don't have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances.  Think of Slowloris as the HTTP equivalent of a SYN flood.

=head2 Testing

If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing:

=head3 Testing Example:

./slowloris.pl -dns www.example.com -port  -test

This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for.  If you really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that unless you know what you're doing).

=head2 HTTP DoS

Once you find a timeout window, you can tune Slowloris to use certain timeout windows.  For instance, if you know that the server has a timeout of  seconds, but the the connection is fairly latent you may want to make the timeout window  seconds and increase the TCP timeout to  seconds.  The following example uses  sockets.  Most average Apache servers, for instance, tend to fall down between - sockets with a default configuration.  Some are less than .  The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available - this would be solved by threading, but that's for a future revision.  The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful.  Slowloris has no way to identify if it's successful or not though.

=head3 HTTP DoS Example:

./slowloris.pl -dns www.example.com -port  -timeout  -num  -tcpto 

=head2 HTTPReady Bypass

HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a POST verses a GET or HEAD request with the -httpready switch. 

=head3 HTTPReady Bypass Example

./slowloris.pl -dns www.example.com -port  -timeout  -num  -tcpto  -httpready

=head2 Stealth Host DoS

If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable.  This way the logs that are created will go to a different virtual host log file, but only if they are kept separately.

=head3 Stealth Host DoS Example:

./slowloris.pl -dns www.example.com -port  -timeout  -num  -tcpto  -shost www.virtualhost.com

=head2 HTTPS DoS

Slowloris does support SSL/TLS on an experimental basis with the -https switch.  The usefulness of this particular option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few tests I performed during the early phases of development.  Your mileage may vary.

=head3 HTTPS DoS Example:

./slowloris.pl -dns www.example.com -port  -timeout  -num  -https

=head2 HTTP Cache

Slowloris does support cache avoidance on an experimental basis with the -cache switch.  Some caching servers may look at the request path part of the header, but by sending different requests each time you can abuse more resources.  The usefulness of this particular option has not been thoroughly tested.  Your mileage may vary.

=head3 HTTP Cache Example:

./slowloris.pl -dns www.example.com -port  -timeout  -num  -cache

=head1 Issues

Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar devices, in it's current incarnation.  They may be ways around this, but not in this version at this time.  Most likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted, although only Netscalar has been tested. 

Slowloris isn't completely quiet either, because it can't be.  Firstly, it does send out quite a few packets (although far far less than a typical GET request flooder).  So it's not invisible if the traffic to the site is typically fairly low.  On higher traffic sites it will unlikely that it is noticed in the log files - although you may have trouble taking down a larger site with just one machine, depending on their architecture.

For some reason Slowloris works way better if run from a *Nix box than from Windows.  I would guess that it's probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small number.  If you find that you can't open any more ports than ~ or so on any server you test - you're probably running into this "feature" of modern operating systems.  Either way, this program seems to work best if run from FreeBSD.  

Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors.  So while the sockets remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up next to one another.  You will probably be easy to find if anyone is looking at their logs at that point - although the DoS will be over by that point too.

=head1 What is a slow loris?

What exactly is a slow loris?  It's an extremely cute but endangered mammal that happens to also be poisonous.  Check this out:

http://www.youtube.com/watch?v=rLdQ3UhLoD4
常用点的高级命令
=head3 HTTP DoS Example: ./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5
                              2000 second send 500 socks 。 根据调节。 10秒发送几千个都可以。

ubuntu 12.0.4下测试:

wget http://ha.ckers.org/slowloris/slowloris.pl

安装perl什么什么插件:

perl -MCPAN -e 'install IO::Socket::INET'
perl -MCPAN -e 'install IO::Socket::SSL'

开始攻击目标apache2的服务器:

perl slowloris.pl -dns xxx.com

此类ddos攻击针对web服务器, 使用 ping 命令检测看不到效果, 必须浏览器访问打不开才证明web服务器瘫痪了。

感觉效果很不明显哦。 apache 2.X 服务器 怎么都打不死。打不死。 此文留作纪念。

RSNAKE 的 Slowloris DOS攻击工具初试的更多相关文章

  1. slowhttptest慢攻击工具介绍

    slowhttptest介绍 Slowhttptest是依赖HTTP协议的慢速攻击DoS攻击工具,设计的基本原理是服务器在请求完全接收后才会进行处理,如果客户端的发送速度缓慢或者发送不完整,服务端为其 ...

  2. CC攻击工具list

    从论文里抠出来的工具列表如下,后面有黑产的工具以及网络上摘录的工具: 分类:(1)有僵尸网络(是否代理服务器)&没有的==>(2)单一url&混合url(多线程,压测为主,dem ...

  3. SlowHTTPTest-慢速DoS攻击

    Slowhttptest是一个依赖于实际HTTP协议的Slow HTTP DoS攻击工具,它的设计原理是要求服务器所有请求被完全接收后再进行处理. SlowHTTPTest是一款对服务器进行慢攻击的测 ...

  4. Dos拒绝服务攻击DNS、SNMP、NTP放大攻击和slowhttptest攻击工具(三)

    DNS放大攻击产生大流量的攻击方式 udpDNS放大效果-查询请求流量小,但响应流量可能非常巨大-dig ANY baidu.com @1.1.1.1 //向1.1.1.1的服务器查询域名解析,流量放 ...

  5. DDoS攻击工具

    DDoS攻击工具 综合性工具 综合性工具除了可以进行DDoS攻击外,还可用于其他的用途,例如:端口扫描.安全审计.防火墙等.实际上,大部分综合性工具开发的原始目的并不是用于DDoS,而是"网 ...

  6. 【漏洞学习】slowHTTPtest 慢速 DOS 攻击方法 修复方案

    日期:2018-05-28 21:41:59 更新:2019-07-05 23:15:21 作者:Bay0net 介绍:学习一下 slowHTTPtest 的攻击及防御. 0x01. 安装 下载链接 ...

  7. Linux下的DOS攻击

    Linux下的DOS攻击 DOS是Denial of service的简称,即拒绝服务,造成Dos攻击行为被称为Dos攻击,其目的是使计算机或网络无法提供正常的服务.最常见的Dos攻击有计算机带宽攻击 ...

  8. dos攻击

    概念理解 DoS到底是什么?接触PC机较早的同志会直接想到微软磁盘操作系统的DOS--DiskOperationSystem?不,此DoS非彼DOS也,DoS即DenialOfService,拒绝服务 ...

  9. DOS攻击之详解--转载

    源地址没有找到,间接引用地址:http://wushank.blog.51cto.com/3489095/1156004 DoS到底是什么?接触PC机较早的同志会直接想到微软磁盘操作系统的DOS--D ...

随机推荐

  1. dlib安装教程(for linux)

    https://blog.csdn.net/LoHiauFung/article/details/78454905 https://www.linuxidc.com/Linux/2017-11/148 ...

  2. struts2从浅至深(二)详细配置

    1.加载时机 当应用被服务器加载时,Struts的配置文件就已经加载了 2.加载顺序 default.properties------->struts-default.xml---------& ...

  3. 20155320 2016-2017-2 《Java程序设计》第7周学习总结

    20155320 2016-2017-2 <Java程序设计>第7周学习总结 教材学习内容总结 时间与日期 认识时间与日期 时间的度量 GMT(Greenwich Mean Time)时间 ...

  4. hdu2602 Bone Collector(01背包) 2016-05-24 15:37 57人阅读 评论(0) 收藏

    Bone Collector Problem Description Many years ago , in Teddy's hometown there was a man who was call ...

  5. 磁盘配额(Quota)的应用与实践

    1>什么是Quota      在Linux中,由于是多用户,多任务的环境,所以会有多用户共同使用一个硬盘空间的情况发生,如果其中有少数几个用户大量占用掉了硬盘空间的话,那肯定影响其他用户的使 ...

  6. 团队项目(第二周)—GG队

    项目需求规格分析 队员信息 队员 学号 叶尚文(队长) 3116008802 蔡晓晴 3216008808 杜婷萱 3216008809 龙剑初 3116004647 于泽浩 3116004661 项 ...

  7. ECG心电图数据2

    1.如何下载获取MIT-BIH的数据从下面这个官方链接页面可以下载到所有48组MIT-BIH心电数据: http://www.physionet.org/physiobank/database/mit ...

  8. 【TypeScript】TypeScript 学习 3——类

    在 EcmaScript 6 中,我们将会拥有原生的类,而不是像现在通过原型链来实现.使用 TypeScript 我们能提前体验这一特性. 首先来看看一个简单的例子: class Greeter { ...

  9. 基于tinyproxy搭建代理服务器

    在我们实际的工作当中,经常会遇到这种情况,我们对线上服务器进行操作时是通过跳板机来进行的,出于安全性及投入资金来考虑非必要情况下除跳板机以外的服务器是没有内网ip的,所以当我们位于内网的服务器需要使用 ...

  10. SED 学习笔记

    1. Sed简介   sed是一种在线编辑器,它一次处理一行内容.处理时,把当前处理的行存储在临时缓冲区中,称为“模式空间”(pattern space),接着用sed命令处理缓冲区中的内容,处理完成 ...