Skip to content

A reverse slowloris attack to hopefully troll bots polling for vulnerable web servers

License

Notifications You must be signed in to change notification settings

nickhuber/reverse-slowloris

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

reverse-slowloris

This is a take on the slowloris attack except done in reverse. Anyone who connects to this server will be sent an infinite slow stream of data until they terminate the connection.

This came up when I was looking through my nginx access logs and saw many requests for endpoints in search of security holes, like /phpmyadmin, /.git/HEAD and many others. I took a sample of the most common endpoints requested and added a block like this to my nginx configuration

location /wp-login.php {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_request_buffering off;
    proxy_buffering off;
}
location /mysql {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_request_buffering off;
    proxy_buffering off;
}
location /databases {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_request_buffering off;
    proxy_buffering off;
}

I would then include this in any configurations in my nginx conf.d directory for easy reuse. I also adjusted the base nginx conf to proxy into this server, for some handling when no hostname is specified (connecting via IP address)

I don't know if this annoys the bots at all, but I have seen some stay connected for over 14 hours.

About

A reverse slowloris attack to hopefully troll bots polling for vulnerable web servers

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages