emulate slowloris DoS attack on apache-tomcat-9.0.71

[Manohar Mikkili <mi...@gmail.com>]

I am trying to emulate the slowloris DoS attack on Tomcat v9.0.71
Despite much deliberation, I failed to achieve this.

Since this CVE is a pretty old one(circa 2012) my guess is that the same
has been taken care of in the subsequent Tomcat releases. I could not find
any documented evidence that google has presented so far.

Can you someone from this august forum pls advise/validate my presumptions
about this?

thanks in advance
Manohar.

Re: emulate slowloris DoS attack on apache-tomcat-9.0.71

[Mark Thomas <ma...@apache.org>]

On 24/02/2023 05:57, Manohar Mikkili wrote:
> I am trying to emulate the slowloris DoS attack on Tomcat v9.0.71
> Despite much deliberation, I failed to achieve this.
> 
> Since this CVE is a pretty old one(circa 2012) my guess is that the same
> has been taken care of in the subsequent Tomcat releases. I could not find
> any documented evidence that google has presented so far.
> 
> Can you someone from this august forum pls advise/validate my presumptions
> about this?

This is CVE-2012-5568 (which should not have been allocated but that is 
a different topic).

See:
https://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
https://tomcat.apache.org/security-impact.html

Newer version of Tomcat will be less susceptible to this attack since 
they use non-blocking I/O.

That said, servers are always going to have a connection limit somewhere 
and if an attacker can consume most/all of those connections with 
traffic that appears to be legitimate you are going to see a DoS.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org