SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks. It works on majority of Linux platforms, OSX and Cygwin – a Unix-like environment and command-line interface for Microsoft Windows.
It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.
Slow Read DoS attack aims the same resources as slowloris and slow POST, but instead of prolonging the request, it sends legitimate HTTP request and reads the response slowly.
Installation for Kali Linux users
For Kali Linux users, install via apt-get .. (life is good!)
root@kali:~# apt-get install slowhttptest Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: slowhttptest 0 upgraded, 1 newly installed, 0 to remove and 25 not upgraded. Need to get 29.6 kB of archives. After this operation, 98.3 kB of additional disk space will be used. Get:1 http://http.kali.org/kali/ kali/main slowhttptest amd64 1.6-1kali1 [29.6 kB] Fetched 29.6 kB in 1s (21.8 kB/s) Selecting previously unselected package slowhttptest. (Reading database ... 376593 files and directories currently installed.) Unpacking slowhttptest (from .../slowhttptest_1.6-1kali1_amd64.deb) ... Processing triggers for man-db ... Setting up slowhttptest (1.6-1kali1) ... root@kali:~#
For other Linux distributions
The tool is distributed as portable package, so just download the latest tarball from Downloads section, extract, configure, compile, and install:
$ tar -xzvf slowhttptest-x.x.tar.gz $ cd slowhttptest-x.x $ ./configure --prefix=PREFIX $ make $ sudo make install
Where PREFIX must be replaced with the absolute path where slowhttptest tool should be installed.
You need libssl-dev to be installed to successfully compile the tool. Most systems would have it.
Mac OS X
brew update && brew install slowhttptest
Try your favorite package manager, some of them are aware of slowhttptest (Like Kali Linux).
slowhttptest is a great tool as it allows you to do many things. Following are few usages
Example of usage in slow message body mode
slowhttptest -c 1000 -B -i 110 -r 200 -s 8192 -t FAKEVERB -u https://myseceureserver/resources/loginform.html -x 10 -p 3
Same test with graph
slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u https://myseceureserver/resources/loginform.html -x 10 -p 3
Example of usage in slowloris mode
slowhttptest -c 1000 -H -i 10 -r 200 -t GET -u https://myseceureserver/resources/index.html -x 24 -p 3
Same test with graph
slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://myseceureserver/resources/index.html -x 24 -p 3
Example of usage in slow read mode with probing through proxy
Here x.x.x.x:8080 proxy used to have website availability from IP different than yours:
slowhttptest -c 1000 -X -r 1000 -w 10 -y 20 -n 5 -z 32 -u http://someserver/somebigresource -p 5 -l 350 -e x.x.x.x:8080
Depends on verbosity level, output can be either as simple as heartbeat message generated every 5 seconds showing status of connections with verbosity level 1, or full traffic dump with verbosity level 4.
-g option would generate both CSV file and interactive HTML based on Google Chart Tools.
Here is a sample screenshot of generated HTML page
that contains graphically represented connections states and server availability intervals, and gives the picture on how particular server behaves under specific load within given time frame.
CSV file can be used as data source for your favorite chart building tool, like MS Excel, iWork Numbers, or Google Docs.
Last message you’ll see is the exit status that hints for possible possible program termination reasons:
|“Hit test time limit”||program reached the time limit specified with -l argument|
|“No open connections left”||peer closed all connections|
|“Cannot establish connection”||no connections were established during first N seconds of the test, where N is either value of -i argument, or 10, if not specified. This would happen if there is no route to host or remote peer is down|
|“Connection refused”||remote peer doesn’t accept connections (from you only? Use proxy to probe) on specified port|
|“Cancelled by user”||you pressed Ctrl-C or sent SIGINT in some other way|
|“Unexpected error”||should never happen|
Sample output for a real test
I’ve done this test in a sample server and this is what I’ve seen from both attacking and victim end.