DoS attack in the wild

Weibin Yao nbubingo at gmail.com
Tue Jun 23 12:09:09 MSD 2009


István at 2009-6-23 15:46 wrote:
> I am not able to reproduce this. The server is answering and serving
>
> ./slowloris.pl -dns doma.in <http://doma.in> -port 80 -timeout 2 -num 
> 10000
>
> The load is zero, there is not even a delay in the response time. 
> Would you mind to share your slowloris.pl command and/or the nginx 
> relevant config, OS type and version, sysctl.conf(or equivalent).
>
> It would be also nice to know what the nginx is doing in that time, do 
> you have dtrace on that node? Enable debug level logging in nginx is a 
> really bad idea if you have 5000 requests...
>
> /"But if you have enough attack computers, you also can make a Nginx 
> server deny service."/
> /
> /
> If you have enough computer you can take down even google.com 
> <http://google.com>, this is not relevant to this conversation, 
> moreover the slowloris is a dedicated tool to low bandwith/low amount 
> of computers attacks.
>
I'm sorry for my misunderstanding with your last mail. My meaning is  
that Nginx has much better performance under such attack.

In my test case, I reduce the worker_connections to only 1024 because I 
just have one attack computer.

And my test script is:
./slowloris.pl -dns doma.in <http://doma.in>  -port 80 -timeout 30 -num 
10000 -tcpto 5
:-P

-- 
Weibin Yao







More information about the nginx mailing list