22 lines
1.6 KiB
Plaintext
22 lines
1.6 KiB
Plaintext
|
SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks.
|
||
|
|
It works on majority of Linux platforms, OSX and Cygwin - a Unix-like environment and command-line interface
|
||
|
|
for Microsoft Windows.
|
||
|
|
|
||
|
|
It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST,
|
||
|
|
Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well
|
||
|
|
as Apache Range Header attack by causing very significant memory and CPU usage on the server.
|
||
|
|
|
||
|
|
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires
|
||
|
|
requests to be completely received by the server before they are processed. If an HTTP request is not
|
||
|
|
complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the
|
||
|
|
rest of the data. If the server keeps too many resources busy, this creates a denial of service.
|
||
|
|
This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.
|
||
|
|
|
||
|
|
Slow Read DoS attack aims the same resources as slowloris and slow POST, but instead of prolonging
|
||
|
|
the request, it sends legitimate HTTP request and reads the response slowly.
|
||
|
|
|
||
|
|
DISCLAIMER: Keep in mind that slowhttptest is of little use as a script kiddie tool. It cannot
|
||
|
|
be pointed blindly at arbitrary targets, like e.g. LOIC. Rather, where it excels is in its
|
||
|
|
breadth of attack options, high customizability and its in-depth analytics. As such, it will be
|
||
|
|
mostly useful for server administrators trying to stress test their systems.
|