aboutsummaryrefslogtreecommitdiff
path: root/network/slowhttptest/README
blob: 95f408733af912b892cc9005b803c2b36e38f4b2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
slowhttptest (stress testing tool/DoS simulator)

SlowHTTPTest is a highly configurable tool that simulates some
Application Layer Denial of Service attacks. It works on majority
of Linux platforms, OSX and Cygwin - a Unix-like environment and
command-line interface for Microsoft Windows.

It implements most common low-bandwidth Application Layer DoS attacks,
such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP
persist timer exploit) by draining concurrent connections pool, as
well as Apache Range Header attack by causing very significant memory
and CPU usage on the server.

Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP
protocol, by design, requires requests to be completely received by the
server before they are processed. If an HTTP request is not complete,
or if the transfer rate is very low, the server keeps its resources busy
waiting for the rest of the data. If the server keeps too many resources
busy, this creates a denial of service.

This tool is sending partial HTTP requests, trying to get denial of
service from target HTTP server.

Slow Read DoS attack aims the same resources as slowloris and slow POST,
but instead of prolonging the request, it sends legitimate HTTP request
and reads the response slowly.

DISCLAIMER: Keep in mind that slowhttptest is of little use as a
script kiddie tool. It cannot be pointed blindly at arbitrary targets,
like e.g. LOIC. Rather, where it excels is in its breadth of attack
options, high customizability and its in-depth analytics. As such, it
will be mostly useful for server administrators trying to stress test
their systems.