Note: Not IIS 
In most large-scale production environments, there is some sort of load balancing or proxy-ing going on, which will prevent the site from becoming completely unreachable. Small and medium scale environments will probably not have this. While there are some options for lessening the impact of this attack, none are entirely effective at preventing it due to its nature. (You can read about those options here.) While this idea is not original, the way it was packaged is bad news. This script is kind of a big deal for the following reasons:
- Pretty much all standard Apache installations are vulnerable
- There is no patch, as it takes advantage of how Apache is suppose to work
- It’s hella easy to use (enough so that “script kiddies” can use it.)
- One person on one laptop can bring down a website. Not botnet required!
The original script is written in perl. There is also a python implementation called “PyLoris” available here. This is a classic denial-of-service attack running over HTTP against APACHE. This means it will not affect SSH or FTP or whatever else you are running on that server. For the most part, it won’t even eat up system resources too much. For reasons beyond my knowledge, this does not affect Microsoft’s web server, IIS.
HOWEVER:
Any server running iptables (linux) can add the following lines:
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
These two lines drop any new connections after more than 20 connections have been made by the same source to port 80 within the last 60 seconds. These are pretty arbitrary numbers, and could take some tuning, but they prevent this attack from bringing down a website. (At least it prevents one person from doing it)
There is also a way to limit the number of sockets per IP in Apache, but I do not know how. That would probably be a better solution that the one proposed above. If someone know how to do it, please add to the comments.
A NOTE: It rankles me when people use the term “script kiddie.” This term is extremely dismissive, and is used mostly by crotchety IT professionals who forgot what it’s like to have three months off. I understand that there is a difference between “script kiddies” and “teenager hackers” but for the most part, the two are lumped together. People learn by looking at the examples of others. These kids will use these scripts this summer, but next summer, or the year after, they will be writing them, and making even more work for these same “hardened” IT “professionals.” So, bored teenager: go nuts. Have fun. Learn as much as you can. Just don’t be a douche about it.
ANOTHER NOTE: Yes, in case you are wondering, I do make the “quotations gesture” while I talk “IRL.”
ONE FINAL NOTE: I fully support people writing tools like this. There is nothing wrong with a little more awareness. I do find the timing amusing though.
If you have anything to add, or you find something wrong with my solution, please feel free to leave a comment so that I can take your ideas as my own.
P.S. I tried hard, but I couldn’t find any other suitable images to put here. Sorry.
weeks of boredom? whaaaaaaaa summer’s the best
Hey, who approved that comment?