HTTP slowloris Denial of service_ work with

>> reprint: The Wandering Code piao2010 ' s Blog
>> This article link address: a share of the bloodshed triggered-http slowloris denial of Service

This article stems from the recent company security Department to give us a share, before I always thought there would be similar to 0day things (I-_-!), the result of sharing the play is to demonstrate the HTTP slow Header and HTTP slow POST attack.

The first time I saw this attack was in the sting of last year's blog, just a general look at the principle. It was also the third time that a similar attack was demonstrated in a speech at the second Chinese site and industry summit in China that saw the sting. After sharing the end of a classmate hope to get the demo tool, but seems to have failed, so I want to write a, as long as it is hack related dongdong always let me inexplicable excitement.

The first two kinds of attack principle:
1 when the GET request intentionally does not send the full HTTP header, waits for a period of time and then sends out the remaining portion.
2 POST request to set a relatively large content-length, and then to a very low speed, such as 10s send a byte.
The two methods of attack are the same: hold live this connection constantly. This allows all available connections for webserver to be occupied when the client is connected more than once.

Then is the code implementation, first with their most familiar with PHP to create a socket connection and then send a part of the packet, sleep, continue to send, so the cycle until all the data sent out. Here I suddenly encountered a problem, PHP is not supporting multithreading, then how to achieve high concurrency it. The effect of concurrency cannot be achieved by looping. Later @heseywang classmate suggested that I use curl_multi_exec, perfect the code can realize concurrency, and later found that in fact, the adoption of pcntl_fork process can also be achieved.
But in the heart of PHP multithreading is always not very reassuring, so began to toss Python code. The first step is to establish a socket connection, the construction of HTTP request is more smooth, the second step is multithreading, Google found threading. Thread can, toss for half a day is finally realized. However, when the actual test found that the number of concurrent connections to multiple threads is only a little more than 1000, considering the company's network bandwidth is definitely not a problem, so try to open the program at the same time, the end of the test machine load to 850, directly lost the response, SSH is not even on. Sweat
It seems that only the program plus multiple processes to achieve high concurrency requirements, and then toss up a lot of progress. Before this before too much process multithreading related dongdong, so the process is also more twists and turns, and a day finally to the multi-process function has been realized.
The code is relatively simple, I will not post, the end of the text attached with a picture.

At night take the classmate's computer to do the test, summed up the following points:
1 http Slow POST attack because a full HTTP header is sent at the beginning, the URI must exist, and if a nonexistent uri,apache is requested, it will return 404 directly without waiting for you to continue sending the POST data.
2 HTTP Slow header attack because the first send is not a complete HTTP header, so the URI can be constructed, Apache will wait until you send the last character (n) to return 404, at this time the attack has been completed.
3 mod-evasive can only alleviate the two attacks to some extent, the attacker could avoid mod-evasive's defense by adjusting the frequency of establishing the connection number. Also reduced timeout parameters can only be alleviated, if the attacker's sleep time is less than timeout parameters can bypass.

Workaround:
1 small Web sites can be resolved by limiting the maximum number of connections to a single IP, but if the attack fits the botnet, there is nothing to do about it (the small web site would not have been able to withstand DDoS, it seems a bit superfluous).
2 introduction of the Mod-security module, this should be a better solution, have the ability to write a module on their own line (online has been given a key code), the company of the whole webserver are written by their own words will be easier to solve.
3 Give up Apache, switch to Nginx
Figures:

Refer to "Trial Slowloris HTTP DoS": http://blog.suchasplus.com/2009/06/trying-slowloris-http-dos.html