Skip to content

TunnelBear/reverse-slowloris

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

reverse-slowloris

This is a take on the slowloris attack except done in reverse. Anyone who connects to this server will be sent an infinite slow stream of data until they terminate the connection.

This came up when I was looking through my nginx access logs and saw many requests for endpoints in search of security holes, like /phpmyadmin, /.git/HEAD and many others. I took a sample of the most common endpoints requested and added a block like this to my nginx configuration

location /wp-login.php {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_request_buffering off;
    proxy_buffering off;
}
location /mysql {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_request_buffering off;
    proxy_buffering off;
}
location /databases {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_request_buffering off;
    proxy_buffering off;
}

I would then include this in any configurations in my nginx conf.d directory for easy reuse. I also adjusted the base nginx conf to proxy into this server, for some handling when no hostname is specified (connecting via IP address)

I don't know if this annoys the bots at all, but I have seen some stay connected for over 14 hours.

notes for CloudFlare

  • CloudFlare might kill the connection after 100 seconds (docs)
  • Or up to 100 minutes if you have enterprise and (api) bump the proxy read timeout. the higher timeout will apply across the entire zone though.
  • (or maybe CF won't time it out since it is sending response bytes the whole time?)

About

tar pit for our bot friends

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 100.0%