http://motomastyle.com/home/ http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_41 Hi rabun, I think it is highly unlikely that my meager Python script will be able to emulate 3 million TCP connections unless it is over a significant amount of time. However, I may be able to help you out with your problem. If you would like to contact me directly, my email address is motoma at gmail. Cheers, Motoma Fri, 02 Oct 2009 09:52:33 -0400 Motoma http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_41 http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_40 can it streess test 3 million connection dos attack? my mate facing such challenges so we will enhance defense and try it. Fri, 02 Oct 2009 01:37:44 -0400 rabun http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_40 http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_37 Hi zion, The time it takes for all connections to be used up depends on your web server's configuration. The more connections you allow, the longer the attack will take, in general. However, if you have no mitigating for mitigating a TCP flood, this attack can be successful in seconds. PyLoris gives the user the ability to fine tune the way the attack plays out, meaning it can toss out 500 connections per second, or use up only one new connection every hour. This makes the tool very difficult to reliably block with IPS alone. If you have more questions regarding PyLoris and mitigating the attack, you are welcome to contact me via email: motoma at gmail. Cheers, Motoma Thu, 23 Jul 2009 05:20:08 -0400 Motoma http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_37 http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_36 Hello, Would you be able to give an estimate of how long it would take before all the connections are used up? Like a few minutes, or a few hours... (not counting the wait for other people to get off the site) Regards. Wed, 22 Jul 2009 19:27:02 -0400 zion http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_36 http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_31 Hello again James, You are right to question the viability of the code; I wrote it hastily and it needed a lot of work. I went through the code yesterday and updated the threading model, allowed threads to make multiple connections, and reduced the memory footprint to 10% of its original. Please download the new code and try it out; let me know how it works and if you have any problems, tell me the command line arguments you were using. The reason why you are not seeing any reaction from your web server is because the cirtuits.web test server does not impose any limitation on the clients. You see, to avoid overflowing the system's memory, the Apache Pre-Fork MPM requires you to limit the total number of connections; each connection spawns a new thread, and if it were not this way the server could bog down and crash quite quickly. Typically this is no problem because requests are handled in milliseconds; however, my code exploits that very setting. Once all connections are used up, Apache will neglect any connection requests, and being well within the hardware limitations, no other processes will be affected. Many web servers do not restrict connections; rather, they will limit the total memory usage to prevent other processes from starving. This attack does not work well against those servers. What kind of configuration does your web server perform? If it is connection based, you can use my new code set to thousands of connections at it. If it is memory based, you can ramp up the bandwidth and increase the payload size and try to overwhelm the OS. If neither of these work you can look up the maximum number of file descriptors for your OS (cat /proc/sys/fs/file-max), and use the multiple connections per thread setting to blow that number away. I would be eager to hear about your results. Cheers, Motoma Tue, 23 Jun 2009 05:22:45 -0400 Motoma http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_31 http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_30 Motoma, You're slightly off the mark here... Yes circuits.web is a WSGI compliant web framework that can be run with mod_wsgi behind Apache - however this is not what I was testing... I was testing circuits.web's Web Server - This is the simplest case I was testing: {{{ #!python from circuits.web import Server, Controller class Root(Controller): def index(self): return "Helllo World!" (Server(8000) + Root()).run() This was tested with PyLoris on my Desktop PC (I have no other hardware/platforms). This is a single-process/single-threaded event-driven application. circuits.web is akin to lighttpd and nginx (which are unaffected by PyLoris) as you've stated. The point I was trying to make earlier was that the kernel killed PyLoris - most likely because it consumed far too much system memory. It's feasible that PyLoris has a memory leak ? Anyway - regardless - circuits.web (the server - not deployed under apache+mod_wsgo), resists PyLoris' attack. --JamesMills (prologic) Mon, 22 Jun 2009 18:12:29 -0400 James Mills http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_30 http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_29 James, You are quite astute to test this script against your web server. You are right to assume that this vulnerability does not affect all servers; Apache, dhttpd, and Squid all show weakness to this brand of attack, while IIS, lighthttpd, and nginx seem to resist it well. Assessing the documentation you linked, it appears that your webserver is actually Apache with mod_wsgi calling your Python framework; unless you have configured your server another way. What I am most curious about is the kernel error you received. More than likely this stopped the test before threads could finish spawning. Could you elaborate on your system configuration? What operating system was running? Another important factor: how did you invoke PyLoris on the command line? Get back to me and we will see if we can get a thorough test running. Cheers, Motoma Mon, 22 Jun 2009 05:39:36 -0400 Motoma http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_29 http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_28 Hi, A friend of mine (Matthew) linked me to this post. I was intrigued at first then decided to test pyloris against my Web Server (written in Python). circuits.web (a set of Web components for circuits) is a high performance scalable Web Server - that does beat all other python web server(s)/framework(s) (so far). circuits: http://trac.softcircuit.com.au/circuits/ circuits.web: http://trac.softcircuit.com.au/circuits/wiki/docs/circuits.web When I ran some tests on my local Desktop PC (unfortunately I don't have access to better hardware - let alone a network of PCs to run proper tests on), pyloris died and was Killed by the kernel. circuits.web still happily running. cheers James Sun, 21 Jun 2009 23:11:28 -0400 James Mills http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/#PageComment_28