unlimited resources at their disposal. Often there are caps on the connections the
application server will take on. This depends on how the application is designed, and
not all web servers are susceptible to these attacks. One thing to note here is that
embedded devices often have limited resources when it comes to their memory and
processor. Think about any device that has a web server for remote management—
your wireless access point, your cable modem/router, a printer. These devices have
web servers to make management easier, but the primary purpose of these devices
isn’t to provide web services; it’s to act as a wireless access point, a cable modem/
router, or a printer. The resources for these devices will be primarily applied to the
device’s intended function.
These devices are one place to use this sort of testing, because they simply won’t
expect a lot of connections. This means that an attack such as Slowloris may be able
to take these servers offline, denying service to anyone else who may try to connect.
The Slowloris attack is designed to hold a lot of connections open to a web server.
The difference between this attack and a flooding attack is this is a slow play attack.
It’s not a flood. Instead, the attack tool holds the connection open by sending small
amounts of data over a long period of time. The server will maintain these connec‐
tions as long as the attack tool continues to send even small amounts of data partial
requests that never quite get completed.
Slowloris is not the only type of attack that goes after web servers, though. In recent
years, there have been a few vulnerabilities that go after web servers. Another one is
Apache Killer, which sends bytes in chunks that overlap. The web server, in trying to
put the chunks together, eventually runs out of memory trying to make it work cor‐
rectly. This was a vulnerability found in both the 1.x and 2.x versions of Apache.
One program that Kali has available is
slowhttptest
. Using
slowhttptest
, you can launch
one of four HTTP attacks at your target. The first is a slow headers attack, otherwise
known as Slowloris (as noted previously). The second is a slow body attack, otherwise
known as R-U-Dead-Yet. The range attack, known as Apache Killer, is also available,
as is a slow read attack. All of these are essentially the reverse of the flooding attacks
discussed earlier in that they accomplish the denial of service with a limited number
of network messages. In
Example 2-7
, the default slow headers attack (Slowloris) was
run against Apache on my Kali box. No traffic has left my system, and you can see
that after the 26th second, the test ended with no connections left available. Of
course, this was a simply configured web server with very few threads configured. A
web application with multiple web servers available to manage load would survive
considerably longer, if they were available at all.
Example 2-7. slowhttp output
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
