Slow Dos-slowhttp Introduction and testing

slowhttp:

Slowhttptest includes Slowloris, Slow HTTP POST, Slow Read attack, and more. The principle is to find a way to let the server wait, when the server is kept connected to wait, natural consumption of resources to achieve the purpose of attack. Slowhttp attacks are not as direct as DDoS by a large number of connections (requests) to crash the server, it tortures the dead server, makes the server feel a variety of uncomfortable, feel like sick, and then slowly die (the business does not run properly).

Slowloris
The attack style is similar to the HTTP protocol-based SYN Flood, but the scope of the impact is much smaller than the two Apache service on a server, possibly one to hang up and the other to run normally. For example, in the case of an attack, an attacker sends such a request to the server:
get/http/1.1\r\n
Host:victim host\r\n
user-agent:mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; trident/4.0;. NET CLR 1.1.4322;. NET CLR 2.0.503l3;. NET CLR 3.0.4506.2152;. NET CLR 3.5.30729; MSOffice) \ r \ n
content-length:42\r\n
The complete HTTP request should end with a \r\n\r\n of two times, so there is one less time and the server will wait, after a while, to send a
X-a: b\r\n
At this point the server is going to crash, not waiting for the subsequent data.

Slow HTTP POST
This type of attack is similar to the previous one, in which the Post submission method allows the Content-length to be declared in the HTTP header, which is the length of the post content.
After the header is submitted, the body part of the back is stuck, then the server after receiving the post length, will wait for the client to send post content, the attacker remains connected and at the speed of 10s-100s a byte to send, to achieve the effect of consumption of resources, Therefore, the constant increase of such links, will make the server resources are consumed, the last possible downtime, but it may be many Web server programs have been invalidated.
Slow Read Attack
The attack method adopted is to control the size of the data sent by the server by adjusting the sliding window size in the TCP protocol, so that the server needs to send a response into a number of packets. slowhttp Test

Tool installation, (installed on Kali)

All the way y can, installation can be used.
Test Example:
Slowloris mode:

root@test:~# slowhttptest-c 1000-h-i 10-r 200-t get-u https://host address: Port/index.html-x 24-p 3

Slow Read mode:

root@test:~# slowhttptest-c 1000-x-R 1000-w 10-y 20-n 5-z 32-u http/host Address: Port-P 5-l 350-e x.x.x.x:8080
x.x. x.x:8080 is an HTTP proxy

Tool usage instructions and use case tips:
-a-start value range specifier for range header test
-B Use of the byte limit range specifier for the range header test
-The number of connections to C is limited to 65539
-D proxy host:port to guide all traffic through the Web proxy
-e proxy host:port port is used to guide only the probe traffic through the Web proxy
-H,b,r or x Specifies the slowdown in the head section or in the body of the message,-R allows the range to be checked, making the slow read test-X
-G generate statistics in CSV and HTML format, mode is slow xxx. csv/html, where xxx is the time and date
-I seconds second interval tracking data in seconds, each connection
-K pipe factor count repeat request in the same connection slow read test if the server supports HTTP pipeline liners.
-L in seconds, seconds test time
-N-second interval read operation from receive buffer
-o file definition output file path and/or name, if specified valid-G
-P Seconds Timeout wait HTTP response after probe connection, the server is considered inaccessible
-R seconds Connection speed
-The content length title of the S-byte value is detailed, if specified-b
-T Verb custom
-u URL Destination URL, type the same format as browser, E. G https://host[:p ort]/
-V level verbose 0–4 log
-W byte range The window size of the ad will be selected from
-X-byte maximum length of trace data end
-Y-byte range The window size of the ad is selected from
-Z byte reads bytes from the receive buffer with a single read () operation
Case description
Slowhttptest-c 1000-b-g-o my_body_stats-i 110-r 200-s 8192-t fakeverb-u http://mysite-x 10-p 3
Test conclusion:
1 if the server is used to attack the server, the servers are in normal use and the CPU, memory, network Utility rate is normal, no slowhttp vulnerability
Example: Pgrep http | Number of wc-l processes
NETSTAT-ANTP | grep 443 |wc-l number of network connections
2 If the time period of the attack, the service will not be able to access the secondary vulnerability exists.
3 Patch method of vulnerability:
A. Set the URL whitelist and blacklist, identify the bad IP;
B. Set an absolute connection timeout,
C. Define the minimum input data rate and limit the maximum license time for the HTTP header transfer of the Web server, modified to a maximum license time of 20 seconds.
Count the duration of each TCP connection and calculate the number of messages passed within a unit of time for accurate identification. In a TCP connection, the HTTP message is too small and too many messages are not normal, too little may be a slow connection attack, too many may be using the HTTP 1.1 protocol for Dehttp flood attacks, in a TCP connection to send multiple HTTP requests.
Limit the maximum allowable time for HTTP header transfers. HTTP headers over a specified time have not been transferred, directly determine the source IP address for a slow connection attack, interrupt the connection and blacklist.