在PHP服务器上使用JavaScript进行缓慢的Loris攻击[及其预防措施!]
Forget the post for a minute, let's begin with what this title is about! This is a web security-based article which will get into the basics about how HTTP works. We'll also look at a simple attack which exploits the way the HTTP protocol works.
暫時(shí)忘掉這個(gè)帖子,讓我們從這個(gè)標(biāo)題開(kāi)始吧! 這是一篇基于Web安全的文章,將深入介紹HTTP的工作原理。 我們還將研究一種利用HTTP協(xié)議工作方式的簡(jiǎn)單攻擊。
什么是HTTP? (What is HTTP?)
HTTP, HyperText Transfer Protocol, is the protocol used by the web for communication. Your device, when you use a browser, uses this particular protocol to send requests to remote servers to request data from them.
HTTP,超文本傳輸??協(xié)議,是網(wǎng)絡(luò)用于通信的協(xié)議。 您的設(shè)備在使用瀏覽器時(shí),會(huì)使用此特定協(xié)議將請(qǐng)求發(fā)送到遠(yuǎn)程服務(wù)器,以從它們請(qǐng)求數(shù)據(jù)。
It's basically like you saying to your mom, "Hey mom, I need to eat the item in the fridge present at shelf 2, could you give it to me?"
基本上就像您對(duì)媽媽說(shuō):“嘿,媽媽,我需要把食物放在架子2上的冰箱里吃,能給我嗎?”
And your mom says, "Sure, here you go", and sends you that item. Now, HTTP is the way you were able to communicate this information to your mom, more like the language you used for communication.
然后你媽媽說(shuō):“可以,你走了”,然后把那個(gè)東西寄給你。 現(xiàn)在,HTTP是您能夠向媽媽傳達(dá)此信息的方式,更像是您用于交流的語(yǔ)言。
HTTP如何工作 (How HTTP Works)
Here's a TL;DR video if you're a video person. Otherwise, proceed with the article:
如果您是視頻人,這是TL; DR視頻。 否則,請(qǐng)繼續(xù)閱讀本文:
HTTP (Layer 7) is built on the top of TCP protocol (Layer 4). We can use nc (netcat) utility to open a raw TCP socket to any website running on HTTP (usually port 80). See the following example on how we connect to HTTP port 80 for google.com using netcat:
HTTP(第7層)建立在TCP協(xié)議(第4層)的頂部。 我們可以使用nc (netcat)實(shí)用程序打開(kāi)原始HTTP套接字,以打開(kāi)任何在HTTP(通常為端口80)上運(yùn)行的網(wǎng)站。 請(qǐng)參閱以下示例,了解我們?nèi)绾问褂胣etcat連接到google.com的HTTP端口80:
See the data we sent:
查看我們發(fā)送的數(shù)據(jù):
GET / HTTP/1.1 Host: google.com X-header-1: somemoredata X-header-2: somemoredata <empty line>Ignore the extra X-header-* headers, they're just random headers you can send with your request. The important header to include in HTTP/1.1 spec is the Host header.
忽略多余的X-header-*標(biāo)頭,它們只是您可以隨請(qǐng)求發(fā)送的隨機(jī)標(biāo)頭。 要包含在HTTP / 1.1規(guī)范中的重要標(biāo)頭是Host標(biāo)頭。
And the response we got:
我們得到的回應(yīng)是:
HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Tue, 01 Oct 2019 23:24:13 GMT Expires: Thu, 31 Oct 2019 23:24:13 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Accept-Ranges: none Via: HTTP/1.1 forward.http.proxy:3128 Connection: keep-alive<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML>Thus, HTTP is a plaintext protocol consisting of the request information sent by the client and the response as shown above.
因此,HTTP是一個(gè)純文本協(xié)議,由客戶端發(fā)送的請(qǐng)求信息和響應(yīng)組成,如上所述。
懶猴攻擊 (Slow Loris Attack)
A Slow Loris attack exploits the fact that I could make an HTTP request very very slowly. In other words, I can initiate an HTTP request to the server and keep sending data to the server very slowly in order to keep that connection alive. And at the same time, it never ends that connection and opens multiple such connections to exhaust the connection pool of the server.
Slow Loris攻擊利用了我可以非常非常緩慢地發(fā)出HTTP請(qǐng)求的事實(shí)。 換句話說(shuō),我可以向服務(wù)器發(fā)起HTTP請(qǐng)求,并保持非常緩慢的速度向服務(wù)器發(fā)送數(shù)據(jù),以保持連接狀態(tài)。 同時(shí),它永遠(yuǎn)不會(huì)終止該連接并打開(kāi)多個(gè)此類連接以耗盡服務(wù)器的連接池。
Disclaimer - Penetration testing any online/offline service not owned by you without prior written permission is illegal and I'm not responsible for any damage caused. Use this content for educational purposes only.
免責(zé)聲明 -未經(jīng)事先書面許可,滲透測(cè)試不屬于您的任何在線/離線服務(wù)是非法的 ,對(duì)于由此造成的任何損失,我不承擔(dān)任何責(zé)任。 將此內(nèi)容僅用于教育目的。
慢勞里斯示范: (Slow Loris Demonstration:)
This means, I could keep on sending additional data to the server in the form of headers. Now, I'll start a simple PHP development server on my machine:
這意味著,我可以繼續(xù)以標(biāo)頭的形式向服務(wù)器發(fā)送其他數(shù)據(jù)。 現(xiàn)在,我將在計(jì)算機(jī)上啟動(dòng)一個(gè)簡(jiǎn)單PHP開(kāi)發(fā)服務(wù)器:
And I use a simple Node script to perform what we discussed above on my local server:
我使用一個(gè)簡(jiǎn)單的Node腳本在本地服務(wù)器上執(zhí)行我們上面討論的內(nèi)容:
You can find the Node script used here.
您可以在此處找到使用的Node腳本。
After some time, you'll see that our PHP server actually crashes!
一段時(shí)間后,您會(huì)看到我們PHP服務(wù)器實(shí)際上崩潰了!
This is because there are way too many open connections and PHP cannot handle any more open connections (due to memory/hardware limits).
這是因?yàn)榇嬖谔嗟拇蜷_(kāi)連接,而PHP無(wú)法處理任何更多的打開(kāi)連接(由于內(nèi)存/硬件限制)。
Now, of course this works flawlessly on a local development server. But if you're able to find a server which does not implement protections against slow loris attacks, it is a big problem for them.
現(xiàn)在,這當(dāng)然可以在本地開(kāi)發(fā)服務(wù)器上完美運(yùn)行。 但是,如果您能夠找到未對(duì)慢loris攻擊實(shí)施保護(hù)的服務(wù)器,那么這對(duì)他們來(lái)說(shuō)就是一個(gè)大問(wèn)題。
防止Loris慢速攻擊 (Protections against a Slow Loris attack)
Use solutions like Cloudflare in front of your servers to prevent DoS/DDoS
在服務(wù)器前使用諸如Cloudflare之類的解決方案來(lái)防止DoS / DDoS
Quoting from Cloudflare's site:
從Cloudflare網(wǎng)站引用:
Cloudflare buffers incoming requests before starting to send anything to the origin server. As a result, “l(fā)ow and slow” attack traffic like Slowloris attacks never reach the intended target. Learn more about how Cloudflare's DDoS protection stops slowloris attacks.
Cloudflare在開(kāi)始將任何內(nèi)容發(fā)送到原始服務(wù)器之前會(huì)緩沖傳入的請(qǐng)求 。 結(jié)果,像Slowloris攻擊這樣的“低速和慢速”攻擊流量永遠(yuǎn)不會(huì)達(dá)到預(yù)期的目標(biāo)。 詳細(xì)了解Cloudflare的DDoS保護(hù)如何阻止慢速龍網(wǎng)攻擊。
- Rate limit number of simultaneous connections open by a particular IP address to a small number. This could be achieved using simple frontend reverse proxy servers like nginx using their leaky bucket algorithm implementation. How that works, is something for another day! 通過(guò)特定IP地址打開(kāi)的并發(fā)連接的速率限制數(shù)目很小。 這可以通過(guò)使用像nginx這樣的簡(jiǎn)單前端反向代理服務(wù)器并使用其泄漏存儲(chǔ)桶算法實(shí)現(xiàn)來(lái)實(shí)現(xiàn)。 如何運(yùn)作,又是另一回事!
- Increasing the server capacity - Now this might mitigate small attacks, but honestly attacker can and would scale/amplify the original attack quite easily due to the less bandwidth required to carry out such an attack. 增加服務(wù)器容量-現(xiàn)在這可以緩解小型攻擊,但老實(shí)地說(shuō),由于執(zhí)行此類攻擊所需的帶寬較小,攻擊者可以并且很容易擴(kuò)展/放大原始攻擊。
結(jié)論 (Conclusion)
A lot of servers (nginx/apache2 new versions) come with slow loris attack protections by default. But for a lot of internal services, servers might be vulnerable to this simple attack.
默認(rèn)情況下,許多服務(wù)器(新版nginx / apache2)都具有慢loris攻擊保護(hù)功能。 但是對(duì)于許多內(nèi)部服務(wù)而言,服務(wù)器可能容易受到這種簡(jiǎn)單攻擊的攻擊。
You might want to check your services and implement the fixes. Web security is an exciting area, and I plan to do a web series on it on codedamn. You can connect with me on twitter for updates too. Till then, be safe!
您可能需要檢查服務(wù)并實(shí)施修補(bǔ)程序。 網(wǎng)絡(luò)安全是一個(gè)令人興奮的領(lǐng)域,我計(jì)劃在codedamn上進(jìn)行網(wǎng)絡(luò)系列開(kāi)發(fā) 。 您也可以在Twitter上與我聯(lián)系以獲取更新。 到那時(shí),要安全!
翻譯自: https://www.freecodecamp.org/news/slow-loris-attack-using-javascript-on-php-server/
總結(jié)
以上是生活随笔為你收集整理的在PHP服务器上使用JavaScript进行缓慢的Loris攻击[及其预防措施!]的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 梦到两块手表是什么意思
- 下一篇: 如何修复会话固定漏洞_PHP安全漏洞:会