Skip to content
forked from valyala/goloris

Slowloris for nginx DoS. Written in go

License

Notifications You must be signed in to change notification settings

mtoothman/goloris

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Goloris - slowloris[1] for nginx DoS

FAQ

  • Features

    • Uses as low network bandwidth as possible.
    • Low CPU and memory usage.
    • Automatically and silently eats all the available TCP connections to the server.
    • Supports https.
    • Easily hackable thanks to clear and concise Go syntax and powerful Golang features.
  • Limitations

    • Can eat up to 64K TCP connections from a single IP due to TCP limitations. Just use proxies if you want overcoming this limitation :)
  • How it works?

    It tries occupying and keeping busy as much tcp connections to the victim as possible by using as low network bandwidth as possible. If goloris is lucky enough, then eventually it should eat all the available connections to the victim, so no other client could connect to it. See the source code for more insights.

  • How quickly it can take down unprotected nginx with default settings?

    In a few minutes with default config options.

  • Which versions of nginx are vulnerable?

    All up to 1.5.9 if unprotected as described below (i.e. with default config).

  • How to protect nginx against goloris?

    I know the following options:

  • How to use it?

    go get -u -a github.com/valyala/goloris
    go build github.com/valyala/goloris
    ./goloris -help
    

P.S. Don't forget adjusting ulimit -n before experimenting.

And remember - goloris is published for educational purposes only.

[1] http://ha.ckers.org/slowloris/

About

Slowloris for nginx DoS. Written in go

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%