Torshammer , script kiddies favorite tool

Over the course of years , I have encountered many interesting tools which anonymous skids use to wreak havoc over the internet. One such tool in torshammer, Written in python. Torshammer is slow HTTP POST DoS tool , meaning it can possibly bring a webserver down using maliciously crafted HTTP requests even with a single machine without much bandwidth. It mostly works with apache and IIS and can be used over tor , hiding real attacker. It’s author has described this tool as

Tor’s Hammer is a slow post dos testing tool written in Python. It can also be run through the Tor network to be anonymized. Kills most unprotected web servers running Apache and IIS via a single instance. Kills Apache 1.X and older IIS with ~128 threads, newer IIS and Apache 2.X with ~256 threads.

How it works?

Torshammer executes a DoS attack by using a slow POST attack, where POST content is transmitted in slow rates under the same session (actual rates are randomly chosen within the limit of 0.1-3 seconds).It will generate number of HTTP POST request and establish the connection to the server If server can’t close the connection correctly, it will get a lot of current connection at same time and lot of child processes/thread will be spawned. Inside of each of connection, it is just only sending some randomize characters to maintain the established connection. When the attack hit the maximum of child process/thread that server can open, it will no longer serve the legitimate traffic and will become unavailable.

This tool does not need to generate huge attack bandwidth and high HTTP request per second. Just need to hold the maxim current connection that server can handle which makes this tool very dangerous.

Analyzing the Code

I have forked torshammer on my github repository. As you can see it consists of three files -

torshammer.py - This file contains all the code needed to generate malicious packets.

socks.py - This serves as a module to provide tunneling through socks proxy (TOR).

terminal.py - This is also a module to generate formatted output to terminal.

Torshammer selects one of these 20 user-agents while sending POST HTTP requests to the server , thus making it little bit difficult to distinguish from legitimate traffic.
useragent

It also spawns threads for each connection it tries to make to the server using Thread class from threading module in python.

threading

then it keeps sending random data to target server to prevent connection from getting closed using
post

and

alive

Note that also send Keep-Alive : 900 . This is way it can keep connection ESTABLISHED and prevent server from closing the socket.T o make things more random it delays packet transmission from 0.1 to 3 seconds.

Run-time Analysis

Suppose our target webserver is located at 192.168.56.101. Target machine is Ubuntu 14.04 with apache2.4.7 with default configuration.

target

Let’s fire the missiles.

fire

At this point server will become unavailable in a matter of few seconds.

netstat in target machine shows it has opened too many connection to port 80 as we expected

netstat

Wireshark confirms what we saw in code.It keeps sending HTTP POST requests along with random character+number

wireshark

Mitigation

For Denial-of-Service attacks, there is no true solution, only mitigation

1) Limiting maximum of 20 connection to a user rendered this attack ineffective.

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j DROP

This method will work for DoS and not DDoS .It can possibly interfere legitimate users in certain cases.

2) Use mod_reqtimeout

Using RequestReadTimeout directive allows you to specify different thresholds for receiving request data. We can add RequestReadTimeout header=30, body=30 in apache configuration for this module. This places a threshold of 30 seconds to completely receive the request body data. If the data is not received by that time, Apache will issue a 408 Request-Timeout status code.

3) Use mod_qos

This is used for mechanisms that can provide different levels of priority to different HTTP requests. We can add following to this module’s configuration

1
2
3
4
5
6
7
8
# limit maximum connection per IP to 30
QS_SrvMaxConnPerIP 30
# limit maximum TCP connections to 256
MaxClients 256
# disables keep-alive when 160/256 TCP connections are occupied
QS_SrvMaxConnClose 160
# minimum request/response speed
QS_SrvMinDataRate 150 1200

Sources:
https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apache-http-server/

https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/

https://berb.github.io/diploma-thesis/original/042_serverarch.html