I think you are right Andres that is a good check to make with the ID, Apache in specific the default is 5 minutes, which I personally consider to be to long. I believe that the plug-in should check not only for the amount of time of the connection but also for the server banner to see if it is one of the different types of servers affected. I covered this in the Pauldotcom podcast and on WhitehatWorld webcast last week. Here is some of the info I presented on this:
- First covered in 2005 in Apache Security under "Programming Model Attacks" - The attack was also described by Adrian Ilarion Ciobanu in an Email to Bugtraq in 2007 - 2009 Rsnake releases the first public tool called slowloris in http://ha.ckers.org/slowloris/ - Servers Affected: - Apache 1.x , Apache 2.x, dhttpd, GoAhead WebServer , Squid, Others…. - Not Affected: - IIS6.0, IIS7.0, lighttpd, nginx, Cherokee, others... - The TimeOut Directive, described at http://httpd.apache.org/docs/2.2/mod/core.html#timeout change from 5 minutes to a lower value (10 seconds, 30 seconds.. Test!) (This is what I was referring mOses) - Use a module, such as mod_limitipconn, to limits the number of connections from one IP address - Monitor your connections for spikes in activity and large amounts of sessions from a single source. for those that are behind a Cisco CSS the content switch will mitigate the attack. http://www.cupfighter.net/index.php/2009/06/slowloris-css/ Larry from Pauldotcom has been testing a some embedded devices and he might share other devices that are affected. On Sun, Jun 28, 2009 at 10:27 AM, Andres Riancho<[email protected]> wrote: > mOses, > > On Fri, Jun 26, 2009 at 9:36 PM, mOses<[email protected]> wrote: >> >> On Jun 26, 2009, at 7:51 PM, Jeremy Richards wrote: >> >>> Hello, >>> >>> I think that it should be possible to write some form of signature to >>> detect this without actually performing a DoS. First , it should be >>> mentions that the check would not determine the specific vulnerable >>> application but the underlying architecture issue. >>> >>> To summarize the attack (please correct me if I'm wrong!): >>> Create a sufficiently large number of open HTTP connections to saturate >>> the connection pool. This results in the DoS condition (until connections >>> time out). This is not a TCP/IP layer attack but an application layer >>> attack. >>> >>> If one was able to open (and keep open) a safe number of connections for a >>> specified threshold, one may be able to determine the existence of the flaw. >>> This would require additional testing and research of course. >>> >> >> This is rather interesting possibility, the only question I have is, how can >> you tell that your session is still 'active' if you are not communicating >> with it at all? > > POST /index.php HTTP/1.1 > Content-Length: 20 > > 0987654321<wait 40 seconds>0987654321 > > If you get an answer, then the connection was kept alive for at least > 40 seconds, right? > > Cheers, > >>> Jeremy >>> >>> >>> >>> On Fri, Jun 26, 2009 at 5:54 PM, Andres Riancho < [email protected]> >>> wrote: >>> Carlos, >>> >>> On Fri, Jun 26, 2009 at 6:17 PM, Carlos perez<[email protected]> >>> wrote: >>> > Slowloris is part of the architecture of apache not a bug so the only >>> > way to >>> > check if an admin took preventive measures for his specific environent >>> > would >>> > be to check the apache.conf file >>> >>> But if the admin took preventive measures, can't I test it using black >>> box? >>> >>> > Sent from my iPhone >>> > >>> > On Jun 26, 2009, at 3:25 PM, Andres Riancho <[email protected]> >>> > wrote: >>> > >>> >> List, >>> >> >>> >> Does anyone know if it's possible to test for the ""slowris >>> >> vulnerability"" [0] without DoS'ing the web server? I was thinking >>> >> that if that was possible, we could add it to w3af. Someone already >>> >> did something in python [1], so it shouldn't be hard to add it to >>> >> w3af. >>> >> >>> >> [0] http://ha.ckers.org/slowloris/ >>> >> [1] >>> >> http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/ >>> >> >>> >> Cheers, >>> >> -- >>> >> Andrés Riancho >>> >> Founder, Bonsai - Information Security >>> >> http://www.bonsai-sec.com/ >>> >> http://w3af.sf.net/ >>> >> >>> >> >>> >> >>> >> ------------------------------------------------------------------------------ >>> >> _______________________________________________ >>> >> W3af-users mailing list >>> >> [email protected] >>> >> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> > >>> >>> >>> >>> -- >>> Andrés Riancho >>> Founder, Bonsai - Information Security >>> http://www.bonsai-sec.com/ >>> http://w3af.sf.net/ >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users >
------------------------------------------------------------------------------
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
