CS369/M6-109 Lab DOS on Apache Rev. 3 Deny Of Service (DOS): Apache HTTP web server DOS attack using PERL script Background (http://ha.ckers.org/slowloris) The ideal situation for many denial of service (DOS) attacks is where all other services remain intact but the webserver itself is completely inaccessible. The concept emerged that would allow a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services, and it is called Slowloris. It is relatively very stealthy compared to most flooding tools as it performs a slow denial of service attack against particular services, rather than flooding networks, by exhausting the number of simultaneous connections allowed on a web server. Slowloris holds connections open by sending partial HTTP requests (think fragmented, but at the segment layer not the network layer). It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way the webserverbecomes quickly tied up waiting for the remaining packets. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. Slowloris must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they'll still be able to see the site. So it's a bit of a race condition, but one that Slowloris will eventually always win - and sooner than later. Overview Using your remote KALI Linux host, you will download and run slowloris.pl perl script against windows 2008 servers running apache 2.2.2 (a fairly recent version). Remote Connection See the previous lab (01-NPS00 Introduction to the Lab) and log onto your remote windows host and after that open VNC to your KALI Linux.
CS369/M6-109 Lab DOS on Apache Rev. 3 Preparation Procedures: This lab will need to be done on Linux, so we will be downloading and running slowloris.pl perl script on our KALI Linux remote VM. In parallel we will run remote desktop session to our target to see impact of the attack to the server resources. Steps: 1. First log on to csview.nps.edu via the VMWare View client 2. From your Remote Windows host, use VNC Viewer to get into your KALI Linux host 3. Now open a new shell (terminal window) within KALI Linux. 4. Change directory to Desktop and ftp to ftpv8.hackers.net with the anonymous account (user account: ftp and password: ftp). Get the slowloris.pl file from the /uploads/ directory. 6. Finish ftp session with the bye command.
CS369/M6-109 Lab DOS on Apache Rev. 3 7. Now From your remote Windows host click on start button, type mstsc and hit Enter in order to open up Remote Desktop Connection. In Remote Desktop Connection window enter IP address of your victim server and click connect. Your attack host will be based upon your user account! If your account (CS369-# or M6-109-#) ends in: 0 or you will be monitoring and attacking 192.168.201.100 1 or 6 you will be monitoring and attacking 192.168.201.101 2 or 7 you will be monitoring and attacking 192.168.201.102 3 or 8 you will be monitoring and attacking 192.168.201.103 4 or 9 you will be monitoring and attacking 192.168.201.104 This may take a minute or two to pop up Username:.\Administrator Password: Password1 8. Now inside of the Windows 2008 server click start button, type resmon and hit Enter to open Resource Monitor. 9. In Resource Monitor open Network tab and show Network Activity and TCP Connections by clicking on the triangles shown on the picture above. Ensure no one else is performing this lab be done against this machine by seeing the TCP connections at a low state!! If it s at a high state, you may need to wait.
CS369/M6-109 Lab DOS on Apache Rev. 3 10. Switch to the KALI Linux machine and open IceWeasle a. Type in address of the Windows/Apache server from above b. Verify that it works Lab Procedures: 11. Back on your Kali vm, in a terminal window confirm that you are in Desktop directory and execute the slowloris script by typing: perl slowloris.pl dns 192.168.201. {Your Attack IP Address goes here ñ }
CS369/M6-109 Lab DOS on Apache Rev. 3 12. Refresh the webpage in IceWeasle to see effect (to be sure you can close it and open once more remember that the web page may be in the cache) Notice the spinning wheel and cancel button, showing it is trying to connect 13. Switch to the Remote Desktop of the victim Apache server and: a. Observe the Network Activity and TCP Connections in Resource monitor 14. From your remote windows 7 host, try to connect to the web server, it should fail as well 1. Switch back to the KALI Linux and stop the script with ctrl+c 16. Now see if you can get to the web site on Kali and your Remote Windows 7 host You should be able to now. If you are curious hacker you can play with the parameters that are in the script. Remember that the bottleneck of the server used to make DOS attack is the limited number of threads/sockets that is allowed to be created on the server. IMPORTANT: If the web page is still working in the browser that means you have still session active. This you can verify in the Resource Monitor -> TCP Connections on the server. There are no deliverables for this lab, just a Done message in the lab assignment.