Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

New DoS tool lets a single PC bring down an Apache server

Options

Comments

  • Options
    #2
    infodox
    Registered Users Posts: 126 ✭✭infodox


    Nothing to worry about, the vuln was released last summer. If you patched anytime in the last 6 months, you are fine.

    The funny thing is, how many pieces of script kiddie malware come with "ARME" (Apache Remote Memory Exhaustion - i.e. the range bytes exploit) as standard. IP-KILLER comes with it, along with Slowloris and some ****ty Slowpost variant as other "Layer 7" attacks. Other malware that has adopted Slowloris/Slowpost in the past also is adapting to use the ARME exploit - a year later. The fastest-learners were the teams of skidiots who make "Host booters" and other such dedicated DDoS software, though their attempts at it were lame and often did not work.

    The other funny thing is how no one really picked up on using HashDoS - it NEVER gained popularity amongst skiddies, despite several weaponized exploits being available. THC-SSL-DOS is another one that never took off massively, though that is mainly because THC crippled their PoC. Anyone with a knowledge of C can fix that though.


  • Options
    #3
    Cork24
    Closed Accounts Posts: 2,663 ✭✭✭Cork24


    Apache servers are update so they dont work anymore.


  • Options
    #4
    infodox
    Registered Users Posts: 126 ✭✭infodox


    A scary amount are still vulnerable to this. Sure, most major sites will have updated by now (likely they havent...), but whats the harm in adding the range bytes part with malicious content to a Slowloris or Slowpost attack anyway?

    Another interesting one I have seen is people using the "hashdos" payload as the payload in a Slow Post attack on a webserver. Anecdotal evidence suggests it to be "Super Effective". Considering how effective slowpost alone, or "hashdos" alone, can be...


  • Options
    #5
    Cork24
    Closed Accounts Posts: 2,663 ✭✭✭Cork24


    infodox wrote: »
    A scary amount are still vulnerable to this. Sure, most major sites will have updated by now (likely they havent...), but whats the harm in adding the range bytes part with malicious content to a Slowloris or Slowpost attack anyway?

    Another interesting one I have seen is people using the "hashdos" payload as the payload in a Slow Post attack on a webserver. Anecdotal evidence suggests it to be "Super Effective". Considering how effective slowpost alone, or "hashdos" alone, can be...

    Slowloris is a layer 7 Attack..

    best fit for a signal COmputer attack would be Layer 4 on a Header Attack


  • Options
    #6
    schrodinger
    Registered Users Posts: 326 ✭✭schrodinger


    Cork24 wrote: »
    Slowloris is a layer 7 Attack..

    best fit for a signal COmputer attack would be Layer 4 on a Header Attack

    Header attack - you mean HTTP headers? Which would reside at layer 7.... ‽


  • Advertisement
  • Options
    #7
    Cork24
    Closed Accounts Posts: 2,663 ✭✭✭Cork24


    schrodinger wrote: »
    Cork24 wrote: »
    Slowloris is a layer 7 Attack..

    best fit for a signal COmputer attack would be Layer 4 on a Header Attack

    Header attack - you mean HTTP headers? Which would reside at layer 7.... ‽

    I could be wrong about the http headers being on layer 4.. But over all layer4 is best suited to less computer attack


  • Options
    #8
    infodox
    Registered Users Posts: 126 ✭✭infodox


    Layer 4 DoS attacks are SYN floods, TCP floods, ICMP floods, UDP floods... I.E. "packet floods".

    The attack being discussed, the apache range-header DoS, and Slowloris, is an Application Layer, i.e. Layer 7, attack.

    And nope, generally application layer DoS attacks are far more efficient than brute packet flooding, unless you are using some special magic like reflected floods, sockstress, etc. And with application layer attacks (layer 7) you can route them over TOR, etc, for better anonymity.


  • Options
    #9
    schrodinger
    Registered Users Posts: 326 ✭✭schrodinger


    infodox wrote: »
    Layer 4 DoS attacks are SYN floods, TCP floods, ICMP floods, UDP floods... I.E. "packet floods".

    The attack being discussed, the apache range-header DoS, and Slowloris, is an Application Layer, i.e. Layer 7, attack.

    And nope, generally application layer DoS attacks are far more efficient than brute packet flooding, unless you are using some special magic like reflected floods, sockstress, etc. And with application layer attacks (layer 7) you can route them over Tor, etc, for better anonymity.

    And then cripple Tor. Also ICMP is layer 3, not layer 4.
    Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis

    I don't think hiding malicious data when you're DoSing was part of their original design spec, like torrenting over Tor. Just don't do it You jeopardise a service used by people who might *really* need the links to work to protect their data in hostile environments....

    Sorry for going off topic.


  • Options
    #10
    infodox
    Registered Users Posts: 126 ✭✭infodox


    Was not suggesting or encouraging routing over TOR - it is already a known attack vector. PyLoris can execute a slowloris attack changing exit node every 13 seconds (if you try change quicker than this, TOR stops working). Seeing as Layer 7 attacks are typically low bandwidth, they do not have much of an effect on the TOR network in reality, as opposed to idiots trying to TCP flood over it... However, it is still inadvisable and not very nice thing to do. (DoS is no fun ANYWAY!).

    For an example of a Slowpost attack over TOR, see "torshammer". I recall excellent results were had executing a Slowpost (Torshammer) and Slowloris (PyLoris) attack over TOR with rapid switching of exit nodes. However, doing so is a dick move and yet ANOTHER thing you should not do!

    I was fairly sure ICMP packets are encapsulated in IP packets? IP packets are layer 3, so would this not make ICMP layer 4? Like TCP and UDP?


  • Options
    #11
    Cork24
    Closed Accounts Posts: 2,663 ✭✭✭Cork24


    Or we could just use what has being working for years and still is and nothing can really stop it,,

    NETBOTS


  • Advertisement
  • Options
    #12
    Tea_Bag
    Registered Users Posts: 4,983 ✭✭✭Tea_Bag


    didn't the jester guy claim go have a similar program?


  • Options
    #13
    schrodinger
    Registered Users Posts: 326 ✭✭schrodinger


    infodox wrote: »
    Was not suggesting or encouraging routing over TOR - it is already a known attack vector. PyLoris can execute a slowloris attack changing exit node every 13 seconds (if you try change quicker than this, TOR stops working). Seeing as Layer 7 attacks are typically low bandwidth, they do not have much of an effect on the TOR network in reality, as opposed to idiots trying to TCP flood over it... However, it is still inadvisable and not very nice thing to do. (DoS is no fun ANYWAY!).

    For an example of a Slowpost attack over TOR, see "torshammer". I recall excellent results were had executing a Slowpost (Torshammer) and Slowloris (PyLoris) attack over TOR with rapid switching of exit nodes. However, doing so is a dick move and yet ANOTHER thing you should not do!

    [...]

    You could cripple a network like Tor without using much bandwidth - kind of like an attack on say a randomly chosen protocol - oh say HTTP :) Packet counts and other varying network behaviorisms can have disastrous affects without using a "fat pipe"
    infodox wrote: »

    [...]

    I was fairly sure ICMP packets are encapsulated in IP packets? IP packets are layer 3, so would this not make ICMP layer 4? Like TCP and UDP?

    Networks protocol don't stack like that just because OSI does :) The intention of the layer can dictate which protocols apply to that layer.

    http://en.wikipedia.org/wiki/Network_layer


  • Options
    #14
    infodox
    Registered Users Posts: 126 ✭✭infodox


    I never looked into how TOR could be crippled, as breaking TOR would be counterproductive - and evil. Merely pointing out it IS used as a method of hiding attacks. I suppose it could be broken easily with something like a SSL DoS...

    As for the jester, yep. Slowloris over TOR, later he added slowpost. He claims it is something else, though all the evidence points to that. It IS effective. His "saladin" is just abuse emails and domain expiry :P

    As for OSI/network layers... I always have the bad habit of assuming things will obey the OSI model :P Though I do understand now that ping/ICMP also is L3...

    Cork24 - botnets work. Just they are inelegant when you can do the same thing with one computer as opposed to 9001. The program mentioned in the ARS article is a botnet tool though.


  • Options
    #15
    schrodinger
    Registered Users Posts: 326 ✭✭schrodinger


    infodox wrote: »

    [...]

    As for OSI/network layers... I always have the bad habit of assuming things will obey the OSI model :P Though I do understand now that ping/ICMP also is L3...

    [...]

    But it _IS_ obeying the OSI model, that's what I am pointing out ;) It just doesn't stack the way you are thinking about it.

    http://www.tcpipguide.com/free/t_TheOpenSystemInterconnectionOSIReferenceModel.htm
    http://www.tcpipguide.com/free/t_UnderstandingTheOSIReferenceModelAnAnalogy.htm
    http://www.tcpipguide.com/free/t_TCPIPArchitectureandtheTCPIPModel.htm


Advertisement