slowHTTPtest attack rehabilitation program

---

Date: 2018-05-28 11:41:59 Day
Author: Bay0net
Description: Learn about the attack and the defense slowHTTPtest.

---

0x01, installation

Download Link
https://github.com/shekyan/slowhttptest

Installation instructions
https://github.com/shekyan/slowhttptest/wiki/InstallationAndUsage

TIME

git clone https://github.com/shekyan/slowhttptest
cd slowhttptest
./configure
make

MAC：
brew update && brew install slowhttptest

0x02, attack mode

When the server receives the request, processes the request after receiving the full, if an attacker sends a slow or incomplete sent, the server retains its connection, occupancy resource pool, if requested larger quantities, will form a DOS attack.

2.1 three kinds of attack mode

1, slowloris: complete http request is \r\n\r\nending, send only when attacked \r\n, sending a small \r\nserver where the request has not been finished, would have been to wait until a timeout.

slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u "url" -x 24 -p 3

2 slow post: After the declaration by a large content-length, body slow to send, causing the server waits.

slowhttptest -c 3000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u "url" -x 10 -p 3

3 slow read: Send to the server a normal read legitimate requests, request a large file, but the TCP sliding window set small, the server will be cut to the size of the sliding window of the file, and then send this file will be stored for a long in memory consumption of resources.

slowhttptest -c 8000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u "url" -p 3

4 Range Header test: a number of fields contained in the RANGE HEADER HTTP request, so that a small file server is divided into a large number of smaller fragments recompression server. Segmented compression process consumes a lot of server resources, resulting in DOS.

slowhttptest -R -u "url" -t HEAD -c 1000 -a 10 -b 3000 -r 500

5, when tested, add agents

slowhttptest -c 1000 -X -r 1000 -w 10 -y 20 -n 5 -z 32 -u url -p 5 -l 350 -e lhost:lport

2.2 Parameter Description

 -g      在测试完成后，以时间戳为名生成一个CVS和HTML文件的统计数据
 -H      SlowLoris模式
 -B      Slow POST模式
 -R      Range Header模式
 -X      Slow Read模式
 -c      number of connections 测试时建立的连接数
 -d      HTTP proxy host:port  为所有连接指定代理
 -e      HTTP proxy host:port  为探测连接指定代理
 -i      seconds 在slowrois和Slow POST模式中，指定发送数据间的间隔。
 -l      seconds 测试维持时间
 -n      seconds 在Slow Read模式下，指定每次操作的时间间隔。
 -o      file name 使用-g参数时，可以使用此参数指定输出文件名
 -p      seconds 指定等待时间来确认DoS攻击已经成功
 -r      connections per second 每秒连接个数
 -s      bytes 声明Content-Length header的值
 -t      HTTP verb 在请求时使用什么操作，默认GET
 -u      URL  指定目标url
 -v      level 日志等级（详细度）
 -w      bytes slow read模式中指定tcp窗口范围下限
 -x      bytes 在slowloris and Slow POST tests模式中，指定发送的最大数据长度
 -y      bytes slow read模式中指定tcp窗口范围上限
 -z      bytes 在每次的read()中，从buffer中读取数据量

0x03, netstat related operations

Check connections
netstat -ant | grep $ip:80 | wc -l

View the current number of connections
netstat -ant | grep $ip:80 | grep EST | wc -l

0x04, repair method

XAMPP configuration path

/opt/lampp/etc/httpd.conf
/opt/lampp/etc/original/httpd.conf
/opt/lampp/apache2/conf/httpd.conf

Method 1: Enable the Apache module reqtimeout_module

Configuration file, this module is enabled by default,
LoadModule reqtimeout_module modules/

In httpd.conf inside, add on

mod_reqtimeout.so
<IfModule reqtimeout_module>
    RequestReadTimeout header=5-40,MinRate=500 body=20,MinRate=500
</IfModule>



And then attack, suggesting


It can also install two new modules mod_qosandmod_security

<IfModule mod_qos.c>
 # handle connections from up to 100000 different IPs
 QS_ClientEntries 100000
 # allow only 50 connections per IP
 QS_SrvMaxConnPerIP 50
 # limit maximum number of active TCP connections limited to 256
 MaxClients 256
 # disables keep-alive when 180 (70%) TCP connections are occupied
 QS_SrvMaxConnClose 180
 # minimum request/response speed (deny slow clients blocking the server, keeping connections open without requesting anything
 QS_SrvMinDataRate 150 1200
</IfModule>

Method 2: Each set 20 connected only create IP

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

View the number of connections established
netstat -ant | grep $ip:80 | grep EST | wc -l

After setting iptables, the effect immediately, but the use of tools for attack, or will prompt the success of the attack, because the attacker can only establish their own connection to the server 20, after more than 20 connections, will prompt service is unavailable.



Server connections established


Fix 3: Tomcat repair

Modify Tomcat timeout in server.xml can


After modification, the attacker as follows:


Repair of immediate effect, the attack did not affect the basic server. . .

Repair mode 4: weblogic repair

console console to modify two parameters.




Reference

How To Mitigate Slow HTTP DoS Attacks in Apache HTTP Server - Acunetix

Repair and science HTTP Slow Attack Apache DOS Vulnerability - Anda Shu - blog Park