Slow HTTP denial of Service Attack

I. Description of the vulnerability

Use HTTP POST request, Specify a very large content-length, and then send the packet at a very low speed, such as 10-100s A byte and keep the connection constantly open. When the number of client connections reaches a certain level, it consumes all available connections from the server, resulting in DOS.

Ii. exploitation of exploits

penetration tool:slowhttptest

:https://github.com/shekyan/slowhttptest.git

Installation Process:

Switch to slowhttptest extract directory and do the following:

./configure

Make

Make install

Note: Install this tool to install the developer Kit first

can refer to https://www.cnblogs.com/573583868wuy/p/6799311.html

Use the following command to start the attack after installation is complete

Slowhttptest-c 1000-b-g-o my_body_stats-i 110-r 200-s 8192-t fakeverb-u http://mysite-x 10-p 3

When you visit the Web site again, you see that loading is slow or always loading to indicate that the attack was Successful.

Tool Usage:

-a start value range specifier for range header testing

-b Use of the byte limit range specifier for the range header test

-c The number of connections is limited to 65539

-d proxy Host:port to guide all traffic through the Web proxy

-E Proxy Host:port port is used to guide only the probe traffic through the Web proxy

-h,b,r or x Specifies the slowdown in the head section or in the message body ,-R allows the range to be tested , making the Slow-read test -x

-g generate statistics in CSV and HTML format , mode is slow xxx. csv/html, where xxx is the time and date

-i seconds second interval tracking data in seconds , each connection

-k Pipe factor count repeat request in the same connection slow read test if the server supports HTTP Pipeline Liners.

-l in seconds, seconds test time

-n- second interval read operation from receive buffer

-o file definition output file path and / or name , if specified valid -g

-p seconds Timeout wait HTTP response after probe connection , the server is considered inaccessible

-r seconds Connection speed

- The content length title of the S-byte value is detailed , if specified -b

-T verb Custom

-u URL destination url, Type the same format as browser , e. g https://host[:p ort]/

-v level verbose 0-4 log

-w byte Range The window size of the ad will be selected from

-x- byte maximum length of trace data End

-y- byte Range The window size of the ad is selected from

-z byte reads bytes from the receive buffer with a single read () operation

third, the solution

method One: limit the maximum license time of the HTTP header transmission for the Web server , modified to a maximum license time of

take Tomcat for example and open server.xml to find

　　<connector port= "8080" protocol= "http/1.1"

　　connectiontimeout= "20000"

　　Redirectport= "8443"/>

Change the connectiontimeout= "20000" to connectiontimeout= "8000"in MILLISECONDS.

method Two: because Apache is vulnerable to this attack, so we should take some precautions. We need to install the module named Mod_antilorisapache . The module limits the number of threads in the read state based on each IP and protects Apache from slowloris attacks. The installation instructions are as Follows:

Installing Httpd-devel

Yum Install-y httpd-devel

installing the compilation module GCC

Yum Install Gcc-y

Switch to the directory

cd/usr/local/src/

Download the Mod_antilorisapache module from the Web

wget sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2

Extract

TAR-XF mod_antiloris-0.4.tar.bz2

call Apxs to compile and install the mod_antiloris.c file

Apxs-a-i-c MOD_ANTILORIS.C

restart httpd service

Service httpd Restart

Verify that the Antiloris process is enabled

Httpd-m |grep Antiloris

Complete

Slow HTTP denial of Service Attack