Nmap can also be used to identify web servers vulnerable to the denial of service attack known as slowloris. The slowloris denial of service technique is presumed to have been discovered by Adrian Ilarion Ciobanu back in 2007, but Rsnake released the first tool in DEFCON 17 proving that it affects several products, including Apache 1.x, Apache 2.x,
dhttpd, and possibly many other web servers.
This recipe shows how to detect if a web server is vulnerable to slowloris DoS attacks with Nmap.
To launch a slowloris attack against a remote web server with Nmap, use the following command:
$nmap -p80 --script http-slowloris --max-parallelism 400 <target>
By default, the script will run for 30 minutes if the server keeps responding. If the server goes down, some statistics are returned:
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-slowloris: | Vulnerable: | theDoS attack...