Slowloris
Slowloris is a piece of software written by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Slowloris is different from typical denials of service in that Slowloris traffic utilizes legitimate HTTP traffic, and does not rely on using special "bad" HTTP requests that exploit bugs in specific HTTP servers. Because of this existing web application firewalls, IPS and IDS solutions that rely on signatures to detect attacks will generally not recognize Slowloris. This means that Slowloris is capable of being effective even when standard enterprise-grade IPS and IDS systems are in place.
The Raw Details
HTTP DoS Example:
./slowloris.pl -dns www.example.com
Advanced HTTP DoS:
You can tune Slowloris to use certain timeout windows. For instance, if you know that the server has a timeout of 20 seconds, but the the connection is fairly latent you may want to make the timeout window 200 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets. Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 200. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available - this would be solved by threading, but that's for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful.
./slowloris.pl -dns www.example.com -port 80 -timeout 20 -num 500 -tcpto 5
Downloads
| Perl Source code | slowloris.pl |
| Windows Binary | slowloris.zip |
Please Note: You cannot blame me if you use this tool to attack servers you don't own and get caught. This tool is released for educational purposes only and comes with no warranty at all. A positive side effect of the hack is that the server does not crash, only the HTTP server is affected. This example perl implementation, slowloris, is able to take down an average website using only a handful of computers. Once the attack stops, the website will come back online immediately.