Over the course of years , I have encountered many interesting tools which anonymous skids use to wreak havoc over the internet. One such tool in torshammer, Written in python. Torshammer is slow HTTP POST DoS tool , meaning it can possibly bring a webserver down using maliciously crafted HTTP requests even with a single machine without much bandwidth. It mostly works with apache and IIS and can be used over tor , hiding real attacker. It’s author has described this tool as
Tor’s Hammer is a slow post dos testing tool written in Python. It can also be run through the Tor network to be anonymized. Kills most unprotected web servers running Apache and IIS via a single instance. Kills Apache 1.X and older IIS with ~128 threads, newer IIS and Apache 2.X with ~256 threads.
Torshammer executes a DoS attack by using a slow POST attack, where POST content is transmitted in slow rates under the same session (actual rates are randomly chosen within the limit of 0.1-3 seconds).It will generate number of HTTP POST request and establish the connection to the server If server can’t close the connection correctly, it will get a lot of current connection at same time and lot of child processes/thread will be spawned. Inside of each of connection, it is just only sending some randomize characters to maintain the established connection. When the attack hit the maximum of child process/thread that server can open, it will no longer serve the legitimate traffic and will become unavailable.
This tool does not need to generate huge attack bandwidth and high HTTP request per second. Just need to hold the maxim current connection that server can handle which makes this tool very dangerous.
I have forked torshammer on my github repository. As you can see it consists of three files -
torshammer.py - This file contains all the code needed to generate malicious packets.
socks.py - This serves as a module to provide tunneling through socks proxy (TOR).
terminal.py - This is also a module to generate formatted output to terminal.
Torshammer selects one of these 20 user-agents while sending POST HTTP requests to the server , thus making it little bit difficult to distinguish from legitimate traffic.
It also spawns threads for each connection it tries to make to the server using
Thread class from
threading module in python.
then it keeps sending random data to target server to prevent connection from getting closed using
Note that also send
Keep-Alive : 900 . This is way it can keep connection
ESTABLISHED and prevent server from closing the socket.T o make things more random it delays packet transmission from
Suppose our target webserver is located at
192.168.56.101. Target machine is Ubuntu 14.04 with
apache2.4.7 with default configuration.
Let’s fire the missiles.
At this point server will become unavailable in a matter of few seconds.
netstat in target machine shows it has opened too many connection to port 80 as we expected
Wireshark confirms what we saw in code.It keeps sending HTTP POST requests along with random
For Denial-of-Service attacks, there is no true solution, only mitigation
1) Limiting maximum of 20 connection to a user rendered this attack ineffective.
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j DROP
This method will work for DoS and not DDoS .It can possibly interfere legitimate users in certain cases.
RequestReadTimeout directive allows you to specify different thresholds for receiving request data. We can add
RequestReadTimeout header=30, body=30 in apache configuration for this module. This places a threshold of 30 seconds to completely receive the request body data. If the data is not received by that time, Apache will issue a 408 Request-Timeout status code.
This is used for mechanisms that can provide different levels of priority to different HTTP requests. We can add following to this module’s configuration