Skip to main content

Performing a genuine slowloris attack (SlowHTTP) of indefinite length in Kali Linux


Slowloris is without a doubt, one of the favorite attacks of many white/gray/black hats, due to its simplicity and effectiveness. Let's explain quickly graphically what the attack looks like:

Slowloris Example

Unlike another tutorial about how to test if your server is vulnerable to Slowloris attacks and where we explain how this kind of attack works, this tutorial aims to be a genuine attack, this means one of those attacks that are not limited by some condition in the script, this attack will run forever if you want it (until you close the terminal that runs the attack). We recommend you to read the first article before proceeding with this one.

In this article, we will explain you how to run a Python version of a genuine Slowloris attack in Kali Linux.

1. Clone Slowloris script

Slowloris is basically an HTTP Denial of Service attack that affects threaded servers. It works like this:

  1. We start making lots of HTTP requests.
  2. We send headers periodically (every ~15 seconds) to keep the connections open.
  3. We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.

This exhausts the servers thread pool and the server can't reply to other people. In order to run the attack, we need the logic of slowloris, however we won't write it by ourselves, instead, use the Python Slowloris implementation from an open source repository in Github. Clone the repository with the following command in some directory of your terminal:

git clone https://github.com/gkbrk/slowloris.git
 COPY SNIPPET

Then, switch from directory to the cloned one:

cd slowloris
 COPY SNIPPET

Now inside this directory we will be able to run the attack with the slowloris.py script. For more information about the Python version of the Slowloris script, please visit the official repository at Github here.

2. Performing attack

You will need Python 3.x installed on your Kali Linux system. By default, it comes installed already in Kali Linux, so we will only need to run the slowloris.py script with the following command:

python3 slowloris.py [website url] -s [number of sockets]
 COPY SNIPPET

The website URL parameter specifies the website that you want to attack, for example https://mydomain.com. The -s or --sockets parameter specifies the number of sockets that will run simultaneously from the host of the attack. Replacing the values, the command should look something similar to:

python3 slowloris.py https://mywebsite.com
 COPY SNIPPET

By default, the script runs with 150 sockets unless you specify it so, for example with 300 sockets instead:

python3 slowloris.py https://mywebsite.com -s 300
 COPY SNIPPET

The output of the attack will be the following one:

Slowloris Attack Output Python 3

As mentioned, the attack will never end unless you stop it. Remember that you only can run the attack to a website of your property or you will get in serious legal issues.

Happy pentesting !

Comments

Post a Comment

Popular posts from this blog

How to use Ngx-Charts in Angular ?

Charts helps us to visualize large amount of data in an easy to understand and interactive way. This helps businesses to grow more by taking important decisions from the data. For example, e-commerce can have charts or reports for product sales, with various categories like product type, year, etc. In angular, we have various charting libraries to create charts.  Ngx-charts  is one of them. Check out the list of  best angular chart libraries .  In this article, we will see data visualization with ngx-charts and how to use ngx-charts in angular application ? We will see, How to install ngx-charts in angular ? Create a vertical bar chart Create a pie chart, advanced pie chart and pie chart grid Introduction ngx-charts  is an open-source and declarative charting framework for angular2+. It is maintained by  Swimlane . It is using Angular to render and animate the SVG elements with all of its binding and speed goodness and uses d3 for the excellent math functio...
Post a Comment
Read more

Understand Angular’s forRoot and forChild

  forRoot   /   forChild   is a pattern for singleton services that most of us know from routing. Routing is actually the main use case for it and as it is not commonly used outside of it, I wouldn’t be surprised if most Angular developers haven’t given it a second thought. However, as the official Angular documentation puts it: “Understanding how  forRoot()  works to make sure a service is a singleton will inform your development at a deeper level.” So let’s go. Providers & Injectors Angular comes with a dependency injection (DI) mechanism. When a component depends on a service, you don’t manually create an instance of the service. You  inject  the service and the dependency injection system takes care of providing an instance. import { Component, OnInit } from '@angular/core'; import { TestService } from 'src/app/services/test.service'; @Component({ selector: 'app-test', templateUrl: './test.component.html', styleUrls: ['./test.compon...
Post a Comment
Read more

How to solve Puppeteer TimeoutError: Navigation timeout of 30000 ms exceeded

During the automation of multiple tasks on my job and personal projects, i decided to move on  Puppeteer  instead of the old school PhantomJS. One of the most usual problems with pages that contain a lot of content, because of the ads, images etc. is the load time, an exception is thrown (specifically the TimeoutError) after a page takes more than 30000ms (30 seconds) to load totally. To solve this problem, you will have 2 options, either to increase this timeout in the configuration or remove it at all. Personally, i prefer to remove the limit as i know that the pages that i work with will end up loading someday. In this article, i'll explain you briefly 2 ways to bypass this limitation. A. Globally on the tab The option that i prefer, as i browse multiple pages in the same tab, is to remove the timeout limit on the tab that i use to browse. For example, to remove the limit you should add: await page . setDefaultNavigationTimeout ( 0 ) ;  COPY SNIPPET The setDefaultNav...
Post a Comment
Read more