34 lines
1.6 KiB
Plaintext
34 lines
1.6 KiB
Plaintext
slowhttptest (stress testing tool/DoS simulator)
|
|
|
|
SlowHTTPTest is a highly configurable tool that simulates some Application
|
|
Layer Denial of Service attacks. It works on majority of Linux platforms,
|
|
OSX and Cygwin - a Unix-like environment and command-line interface for
|
|
Microsoft Windows.
|
|
|
|
It implements most common low-bandwidth Application Layer DoS attacks,
|
|
such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist
|
|
timer exploit) by draining concurrent connections pool, as well as Apache
|
|
Range Header attack by causing very significant memory and CPU usage on
|
|
the server.
|
|
|
|
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP
|
|
protocol, by design, requires requests to be completely received by the
|
|
server before they are processed. If an HTTP request is not complete,
|
|
or if the transfer rate is very low, the server keeps its resources busy
|
|
waiting for the rest of the data. If the server keeps too many resources
|
|
busy, this creates a denial of service.
|
|
|
|
This tool is sending partial HTTP requests, trying to get denial of
|
|
service from target HTTP server.
|
|
|
|
Slow Read DoS attack aims the same resources as slowloris and slow POST,
|
|
but instead of prolonging the request, it sends legitimate HTTP request
|
|
and reads the response slowly.
|
|
|
|
DISCLAIMER: Keep in mind that slowhttptest is of little use as a
|
|
script kiddie tool. It cannot be pointed blindly at arbitrary targets,
|
|
like e.g. LOIC. Rather, where it excels is in its breadth of attack
|
|
options, high customizability and its in-depth analytics. As such, it
|
|
will be mostly useful for server administrators trying to stress test
|
|
their systems.
|