Opened 2 years ago

Closed 23 months ago

#23527 closed defect (worksforme)

Our web server is probably vulnerable to slowloris attack

Reported by: gk Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We got a HackerOne bug report about some web server vulnerability (it seems to be not hardened against slowloris attacks):

| http-slowloris-check:

| VULNERABLE:

| Slowloris DOS attack

| State: LIKELY VULNERABLE

| IDs: CVE:CVE-2007-6750

| Slowloris tries to keep many connections to the target web server open and hold

| them open as long as possible. It accomplishes this by opening connections to

| the target web server and sending a partial request. By doing so, it starves

| the http server's resources causing Denial Of Service.

See the attachment for more information about what they tested

Child Tickets

Attachments (1)

tor.PNG (66.9 KB) - added by gk 2 years ago.

Download all attachments as: .zip

Change History (4)

Changed 2 years ago by gk

Attachment: tor.PNG added

comment:1 Changed 2 years ago by gk

This got reported by joelisto.

comment:2 Changed 2 years ago by dcf

BTW http-slowloris-check is an Nmap script. You can try to reproduce it yourself using this command. When I tried it just now, it didn't detect any vulnerability, even against the same IP address as in attachment:tor.PNG, 82.195.75.101.

$ nmap -p 80,443 --script http-slowloris-check www.torproject.org

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-15 08:22 PDT
Nmap scan report for www.torproject.org (82.195.75.101)
Host is up (0.18s latency).
Other addresses for www.torproject.org (not scanned): 38.229.72.16 89.45.235.21 154.35.132.70 138.201.14.197 2001:41b8:202:deb:213:21ff:fe20:1426 2001:6b0:5a:5000::5 2620:0:6b0:b:1a1a:0:26e5:4810 2a01:4f8:172:1b46:0:abba:5:1
rDNS record for 82.195.75.101: listera.torproject.org

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 24.16 seconds

You can see what the script is doing in its source code: https://svn.nmap.org/nmap/scripts/http-slowloris-check.nse. You can get more debugging output using the -d option, like [http-slowloris-check 82.195.75.101:80] Time difference is: 0.

comment:3 in reply to:  2 Changed 23 months ago by weasel

Resolution: worksforme
Status: newclosed

Replying to dcf:

When I tried it just now, it didn't detect any vulnerability

In that case, closing.

Note: See TracTickets for help on using tickets.