Slow Loris: Difference between revisions
>Pseudonymous m Aesthetic fix. Ignore. |
>CrackRabbit Created page with "Slowloris is a utility (originally written in perl) that can be used to exploit a flaw in many webservers (the most vulnerable are listed in the article on ha.ckers.org), allo..." |
||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
Slowloris is a utility (originally written in perl) that can be used to exploit a flaw in many webservers (the most vulnerable are listed in the article on ha.ckers.org) | Slowloris is a utility (originally written in perl) that can be used to exploit a flaw in many webservers (the most vulnerable are listed in the article on ha.ckers.org), allowing you to perform a de facto "SYN flood over HTTP."[http://ha.ckers.org/slowloris/] | ||
==Concept== | ==Concept== | ||
The ha.ckers.org article that revealed Slowloris explains its function as follows:[ | The ha.ckers.org article that revealed Slowloris explains its function as follows:[http://ha.ckers.org/slowloris/] | ||
<blockquote>''Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. Slowloris must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they'll still be able to see the site. So it's a bit of a race condition, but one that Slowloris will eventually always win - and sooner than later.''</blockquote> | <blockquote>''Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. Slowloris must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they'll still be able to see the site. So it's a bit of a race condition, but one that Slowloris will eventually always win - and sooner than later.''</blockquote> | ||
| Line 12: | Line 12: | ||
Slowloris.pl can be obtained at the following addresses: | Slowloris.pl can be obtained at the following addresses: | ||
*[ | *[http://ha.ckers.org/slowloris/slowloris.pl The original source from ha.ckers.org.] | ||
*[ftp://rlance.ru/Upload/a/slowloris.bin A Linux binary created with the PAR packer.] | *[ftp://rlance.ru/Upload/a/slowloris.bin A Linux binary created with the PAR packer.] | ||
| Line 29: | Line 29: | ||
To acquire QSlowLoris, visit the proceeding download pages: | To acquire QSlowLoris, visit the proceeding download pages: | ||
*[ | *[http://www.megaupload.com/?d=08RJVYTE Linux version.] | ||
*[ | *[http://www.megaupload.com/?d=3DV6R4ZL Windows version.] | ||
===PyLoris=== | ===PyLoris=== | ||
| Line 40: | Line 40: | ||
PyLoris can be obtained via the following resources: | PyLoris can be obtained via the following resources: | ||
*[ | *[http://www.sourceforge.net/projects/pyloris/ The SourceForge PyLoris project.] | ||
TACTICAL PITFALLS: | TACTICAL PITFALLS: | ||
| Line 48: | Line 48: | ||
==Further Reading== | ==Further Reading== | ||
===Documentation=== | ===Documentation=== | ||
*[ | *[http://ha.ckers.org/slowloris/ The full Slowloris release document.] | ||
*[ | *[http://www.motomastyle.com/pyloris/ The PyLoris home page.] | ||
{{tools}}[[Category:Tools]] | {{tools}}[[Category:Tools]] | ||
Latest revision as of 23:25, 26 May 2013
Slowloris is a utility (originally written in perl) that can be used to exploit a flaw in many webservers (the most vulnerable are listed in the article on ha.ckers.org), allowing you to perform a de facto "SYN flood over HTTP."[1]
Concept[edit]
The ha.ckers.org article that revealed Slowloris explains its function as follows:[2]
Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. Slowloris must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they'll still be able to see the site. So it's a bit of a race condition, but one that Slowloris will eventually always win - and sooner than later.
Utility Downloads[edit]
Slowloris.pl (Original Program)[edit]
Slowloris.pl is the original utility (written in Perl).
USAGE[edit]
A common usage example:
perl slowloris.pl -dns www.president.ir -port 80 -timeout 500 -num 2000
Slowloris.pl can be obtained at the following addresses:
TACTICAL PITFALLS:
- Some marks may have blocked the User Agent that Slowloris.pl uses.
- To remedy this, modify the User-Agent variables to another valid User Agent.
- Usage on Windows is not guaranteed to work, as some versions throttle the use of sockets.
- To avoid and work around this pitfall, either dual-boot a Linux installation or use a virtual operating system (exempli gratia: VirtualBox or VMWare).
QSlowLoris[edit]
QSlowLoris is a C++ program that uses Qt libraries to execute the methods used by Slowloris.pl. TACTICAL ADVANTAGES:
- QSlowLoris' graphical user interface makes this program easy to use by all insurgents.
TACTICAL PITFALLS:
- Usage on Windows is not guaranteed to work, as some versions throttle the use of sockets.
- To avoid and work around this pitfall, either dual-boot a Linux installation or use a virtual operating system (exempli gratia: VirtualBox or VMWare).
To acquire QSlowLoris, visit the proceeding download pages:
PyLoris[edit]
PyLoris is a Python implementation of the Slowloris concept. It allows an insurgent to specify the bandwidth for the connection, as well as how large each request is.
USAGE[edit]
Common usage:
python pyloris-1.7.py -l -r POST -s 500000 -g "/fa/pages/?cid=407" www.gerdab.ir \ -u "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.31 Safari/530.5"
PyLoris can be obtained via the following resources:
TACTICAL PITFALLS:
- Usage on Windows is not guaranteed to work, as some versions throttle the use of sockets.
- To avoid and work around this pitfall, either dual-boot a Linux installation or use a virtual operating system (exempli gratia: VirtualBox or VMWare).
Further Reading[edit]
Documentation[edit]
 |
Slow Loris is part of a series on Tools. |
