Script http-slowloris

Script types: portrule
Categories: dos, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-slowloris.nse

Script Summary

Tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack.

Slowloris was described at Defcon 17 by RSnake (see http://ha.ckers.org/slowloris/).

This script opens and maintains numerous 'half-HTTP' connections until the server runs out of resources, leading to a denial of service. When a successful DoS is detected, the script stops the attack and returns these pieces of information (which may be useful to tweak further filtering rules):

• Time taken until DoS
• Number of sockets used
• Number of queries sent

By default the script runs for 30 minutes if DoS is not achieved.

Please note that the number of concurrent connexions must be defined with the --max-parallelism option (default is 20, suggested is 400 or more) Also, be advised that in some cases this attack can bring the web server down for good, not only while the attack is running.

Also, due to OS limitations, the script is unlikely to work when run from Windows.

See also:

• http-slowloris-check.nse

Script Arguments

http-slowloris.runforever

Specify that the script should continue the attack forever. Defaults to false.

http-slowloris.timelimit

Specify maximum run time for DoS attack (30 minutes default).

http-slowloris.send_interval

Time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-slowloris --max-parallelism 400  <target>

Script Output

PORT     STATE SERVICE REASON  VERSION
80/tcp   open  http    syn-ack Apache httpd 2.2.20 ((Ubuntu))
| http-slowloris:
|   Vulnerable:
|   the DoS attack took +2m22s
|   with 501 concurrent connections
|_  and 441 sent queries

Requires

• coroutine
• datetime
• math
• nmap
• os
• shortport
• stdnse
• http
• comm

---

Authors:

• Aleksandar Nikolic
• Ange Gutek

License: Same as Nmap--See https://nmap.org/book/man-legal.html