Httpsloth
Intro
This tool is a proof of concept implementation of Slow HTTP POST
denial of service attack.
The general idea behind this technique is to open thousands of cheap TCP connections with proper HTTP POST request
string containing Content-Length
big enough and feed them with body byte by byte periodically. In case of Nginx
web server bytes should be sent in periods less than the value of client_body_timeout
parameter which is 60s
by default. Connections amount should exceed worker_processes * worker_connections
values which is 1 * 1024 = 1024
by default.
Rust Setup
Official Rust setup guide can be found here: https://www.rust-lang.org/en-US/install.html
Kernel parameters.
In order to hold multiple open connections make sure you have set up high hard and soft limits for open files count.
Edit /etc/security/limits.conf
and add:
* hard nofile 16384
* soft nofile 12288
Run
cargo run -- --url https://target.example.com
or:
cargo build --release
./target/release/httpsloth --url https://target.example.com
Countermeasures
Proper web server configuration.
Your front-facing server should be able to hold much more open connections than the default setup allows you to.
Increase number of workers and the amount of connections each one of them limited to hold by playing with
worker_processes
and worker_connections
parameters in case of Nginx. Also your timeout between the consequent HTTP
body parts should be adequate and you cannot decrease its value too much in order to handle legit connection.
Recommendation here for client_body_timeout
in case of Nginx is couple of seconds for ordinary web app. Please note
that client_body_timeout
stands for the timeout between consequent body parts not the entire body.