Apache HTTP DOS tool

The tool basically uses a concept of keeping an HTTP session alive indefinitely (or as long as possible) and repeating that process a few hundred times. So in my testing, against an unprotected and lone Apache server, you can expect to be able to take it offline in a few thousand packets or less on average, and then you can let the server come back again as soon as you kill the process. It is similar to the TCP attack without closing the session and let the server waiting..

Some blogger posted the test result:

his affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion - fixing one problem created another. This includes but is not necessarily limited to the following:

* Apache 1.x
* Apache 2.x
* dhttpd
* GoAhead WebServer
* Squid

There are a number of webservers that this doesn't affect as well, in my testing:

* IIS6.0
* IIS7.0
* lighttpd

It is named "Slowloris HTTP DoS", actually it is a perl script.

perl slowloris.pl -dns example.com

Requirements: This is a Perl program requiring the Perl interpreter with the modules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long. Slowloris works MUCH better and faster if you have threading, so I highly encourage you to also install threads and threads::shared if you don't have those modules already. You can install modules using CPAN:

perl -MCPAN -e 'install IO::Socket::INET'
perl -MCPAN -e 'install IO::Socket::SSL'