test type
: SLOW HEADERS
number of connections: 50
URL: http://192.168.86.35/
verb: GET
Content-Length header value: 4096
follow up data max size: 68
interval between follow up data:
10
seconds
connections per seconds: 50
probe connection timeout:
5
seconds
test
duration:
240
seconds
using proxy: no proxy
Thu Nov
23
19:53:52 2017:
slow HTTP
test
status on 25th second:
initializing: 0
pending: 0
connected: 30
error: 0
closed: 20
service available: YES
Thu Nov
23
19:53:54 2017:
Test ended on 26th second
Exit status:
No open connections left
The Apache server targeted here uses multiple child processes and multiple threads to
handle requests. Caps are set in the Apache configuration: the default here is 2
servers, a thread limit of 64, 25 threads per child, and a maximum of 150 request
workers. As soon as the number of connections available was maxed out by
slow‐
httptest
, the number of Apache processes was 54 on this system. That would be 53
child processes and a master or parent process. To handle
the number of connections
required for the requests being made, Apache spawned multiple children and would
have had multiple threads per child. That’s a lot of processes that have been started
up. Considering that the Apache server that was running
was completely up-to-date
at the time of this writing, it seems clear that these types of attacks can be successful,
in spite of how many years they have been around. Of course,
as noted earlier, that
entirely depends on the architecture of the site under test.
SSL-based stress testing
Another resource-based attack that isn’t about bandwidth, but instead is about pro‐
cessor utilization, targets the processing requirements for encryption.
For a long
time, e-commerce sites have used Secure Sockets Layer (SSL) or Transport Layer
Security (TLS) to maintain encryption between the client and the server in order to
ensure the privacy of all communication. These days, many servers use SSL/TLS as a
matter of course. If you
attempt to search at Google, you will see that it is encrypted
by default. Similarly, many other large sites,
such as Microsoft and Apple, encrypt all
traffic by default. If you try to visit the site by using an unencrypted uniform resource
