Slowloris DOS attack (CVE-2007-6750) with NMAP
In this post, I’m gonna show you how to find slowloris DOS attack with NMAP. Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. You can download the tool from the official site. The software provides a number of features for probing computer networks, including host discovery and service and operating-system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features.
Nmap was first published in September 1997, as an article in Phrack Magazine with source-code included. With help and contributions of the computer security community, development continued.
In this post, I’m gonna show you how to find (CVE-2007-6750) with NMAP. The vulnerability was described at Defcon 17 by RSnake.
This http-slowloris-check script opens and maintains numerous ‘half-HTTP’ connections until the server runs out of resources, leading to a denial of service. When a successful attack is detected, the script stops the attack and returns these pieces of information (which may be useful to tweak further filtering rules)
- Time took until DoS
- Number of sockets used
- Number of queries sent
Below is the example of the command with nmap’s NSE script. This script tests a web server for vulnerability to the DoS attack without actually launching a DoS attack.
nmap --script http-slowloris-check <target>
You can specify custom http User-agent field with
http.useragent script argument. Now if the target is vulnerable to this attack it will show the following result
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ http://cve.mitre.org/cgi-bin/c
Video Proof of concept (PoC) of DOS attack
By default, the script runs for 30 minutes if DoS is not achieved. Please note that the number of concurrent connexions must be defined with the
--max-parallelism option (default is 20, suggested is 400 or more) Also, be advised that in some cases this attack can bring the web server down for good, not only while the attack is running. Also, due to OS limitations, the script is unlikely to work when run from Windows.