Project 16: Attacking Apache with the OWASP HTTP DoS Tool (15 pts.)

Requirements

You will need two machines--they can be physical or virtual, but they must be on the same LAN:

A Linux machine (any version is OK, BackTrack is good, I used Ubuntu 10.04)
A Windows attacker (any version is OK, I used Windows XP)

Starting the Apache Web Server

Start the Linux machine and log in. Open a Terminal window. Ping ubuntu.com and make sure you are getting replies. If you are not, you need to fix your networking before you can proceed.

In the Terminal window, execute this command:

/etc/init.d/apache2 start

Viewing the Apache Server Status

In the Linux machine, open Firefox. Enter this address: http://localhost/server-status

You should see only one letter in the grid, indicating that only one client is being served at the moment, as shown below on this page.

Getting the OWASP HTTP DoS Tool

On the Windows machine, open a browser and go to http://code.google.com/p/owasp-dos-http-post

Click Downloads. Click HttpDosTool3.6.zip. Download the file and unzip it.

Attacking Apache with the OWASP HTTP DoS Tool

When you unzipped the file, a folder named HttpDosTool appears. Double-click it to open it. Double-click the gui.exe file. The "HTTP attack" window opens, as shown below.

In the URL box, enter http:// followed by the IP address of your Linux Apache server.

Start with these parameters, which are sufficient to bring Apache to a total stop:

Attack Type: Slow headers
Connections: 40000
Connection rate: 50
Timeout(s): 100

Click the "Run attack" button. You should see the "HTTP Attack information" box, as shown below on this page.

Viewing the Apache Server Status

In the Linux machine, in Firefox, click the Refresh button. If the page does not load, you may have to stop the attack briefly to get the session started, and then restart the attack, and then refresh the Firefox page.

You should see the grid full of letters, indicating that all possible connections are in use, as shown below on this page.

Saving the Screen Image

Make sure you can see the status grid filled with letters, as shown in the image above on this page.

Save a screen image with the filename Proj 16 from Your Name.

Stopping the Attack

In the Windows machine, in the "HTTP Attack information" box, click the "Cancel attack" button.

Turning in Your Project

Email the image to [email protected] with a Subject line of Proj 16 from Your Name.

Sources

http://linuxlog.org/?p=135

http://blog.spiderlabs.com/modsecurity/page/2/

http://mdessus.free.fr/?p=7

http://blog.ebizdaddy.com/2010/11/fortify-apache-web-server-with-mod_evasive-and-mod_security-on-ubuntu-10-04-lts-server/

Last modified: 8-2-11