Hello,

I think that it should be possible to write some form of signature to detect this without actually performing a DoS.  First , it should be mentions that the check would not determine the specific vulnerable application but the underlying architecture issue.

To summarize the attack (please correct me if I'm wrong!):
Create a sufficiently large number of open HTTP connections to saturate the connection pool.  This results in the DoS condition (until connections time out).  This is not a TCP/IP layer attack but an application layer attack.

If one was able to open (and keep open) a safe number of connections for a specified threshold, one may be able to determine the existence of the flaw.  This would require additional testing and research of course. 

Jeremy



On Fri, Jun 26, 2009 at 5:54 PM, Andres Riancho <andres.riancho@gmail.com> wrote:
Carlos,

On Fri, Jun 26, 2009 at 6:17 PM, Carlos perez<cperezotero@gmail.com> wrote:
> Slowloris is part of the architecture of apache not a bug so the only way to
> check if an admin took preventive measures for his specific environent would
> be to check the apache.conf file

But if the admin took preventive measures, can't I test it using black box?

> Sent from my iPhone
>
> On Jun 26, 2009, at 3:25 PM, Andres Riancho <andres.riancho@gmail.com>
> wrote:
>
>> List,
>>
>>   Does anyone know if it's possible to test for the ""slowris
>> vulnerability"" [0] without DoS'ing the web server? I was thinking
>> that if that was possible, we could add it to w3af. Someone already
>> did something in python [1], so it shouldn't be hard to add it to
>> w3af.
>>
>> [0] http://ha.ckers.org/slowloris/
>> [1] http://motomastyle.com/pyloris-a-python-implementation-of-slowloris/
>>
>> Cheers,
>> --
>> Andrés Riancho
>> Founder, Bonsai - Information Security
>> http://www.bonsai-sec.com/
>> http://w3af.sf.net/
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> W3af-users mailing list
>> W3af-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

------------------------------------------------------------------------------
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users