How to implement slow loris in C++?
Are you a Windows user who is interested in pen-testing or the cyber world, but don’t have enough resources? Or are you someone with a windows machine interested in learning to make cyber weapons but don’t know how to?
Well, the thing is that we, the windows users, are discriminated a lot in this world of open-source. But hey! Even windows enable you to do all of these.
So what if you can’t find pre-built tools, wouldn’t it be fun to make our very own tools?
So, let’s begin on our journey of making a slow loris attack tool on windows!
What is Slow Loris?
Slow loris is a DoS attack that is difficult to identify and to our benefit, simple to implement!
As the name suggests, this attack attacks very slowly. So slowly that the server is fooled and he pities us. But little does he know, we’re here to crash him!
That was enough though. LOL.
So, in slow loris, we generally send a lot of requests to a server to crash it. But that’s what almost all DoS attacks do?
What separates slow loris attack from the rest of them is the fact that it is very deceiving.
While others can be easily detected, slow loris attack makes itself look genuine and decent request for resources from the server.
How does slow loris work?
Every server has a timeout after which it closes the connection. With slow loris, we exploit this time frame!
Basically, in slow loris we send out multiple requests to the server, some garbage value to be very frank, and then wait.
Just before the server is about to close the connection due to timeout, we send the same garbage value again.
So, the server is deceived into believing that we are sending request, but have a very poor internet connection. So it holds on to the connection.
We repeat this every time the connection is about to be closed and soon we would have had one of its connection reserved for us, simply because we are not leaving it and it cannot kick us out like in other DoS attacks.
Just imagine how dreadful it would become if any and every connection the server could establish is acquired by such processes?
The server would crash!
And that’s exactly what we call slow loris. So in basic terms, it slowly but steadily eats all of the server’s bandwidth and starves it to death.
How to make your own slow loris program in C++
Get the right header files
This is quite basic to think but this is what got me hours to figure out. If you are new to network and socket programming like I was, then probably you need to read this section.
Else, you can skip this section without any regrets.
Here’s a list of header files that we need to get our program started.
Perhaps it was not worth mentioning, but still mentioned it to prevent any sort of confusion. This header file is the most basic we use in C/C++ programming for basic stuff.
If you have been working on C++ for a while then you would be knowing why I asked you to include this. For cin and cout.
We’ll need to have to do some string operations due to the input that we’ll get from the user.
Ah hah! Here comes the game changer. If you are new to socket programming then remember the name of this header file and make it your best friend. Any and every program that you’ll be writing from now on using some network functionalities of windows would need winsock2.h
It’s the most essential header file for this program
Note :- For this program you would need to dynamically link ws2_32.lib library. Link it as #pragma comment(lib,”ws2_32.lib”)
Declare variables and structures
Well, now this part goes inside the main function. You need two things that’ll act as the backbone of the entire program and you guessed it right, variables and structures.
Now, this code will have a function other than the main function, but its declarations will be discussed later.
So, let’s think about what do we need to make our program work?
Input from the user should be the first thing that comes to your mind.
And, what all would this input have?
It would have three things,
Number of threads
The last two things are mostly the same, port number 80 and 1000 threads. But just to make our tool a lot more flexible, we give the user the privileged feeling of entering them.
The illusion of choice as they say. ;)
Since we would be getting all of these from the user, they would be in the form of strings.
What about a counter? That’s the favorite thing we all have because every program has one.
So here we have a counter i, but, that’s not integer type but rather it’s an “unsigned long integer”. Royal one.
In Microsoft-ish, the language of Microsoft, we call it ULONG.
Now, I would recommend that you study about sockets a bit, but if you don’t know, don’t worry, even I didn’t know about them at the time of writing this tool.
After that, we need to have a structure for holding the socket address. If you don’t know what that means, in simple terms, I’m saying the information on how and whom to connect.
Then comes the serial killer of all times, WSADATA. Now that’s again something in Microsoft-ish, but I like to think of it as some sort of handle to our socket. And you need to have it if you wish to use sockets
Next, we need a structure for storing the host’s details. For this purpose, we use hostent structure. Another Microsoft shit, but it’s a nice one though.
Get Users Input
So, the simplest step. Get users to enter all the things we want them to take care of and they are, once again, target host, port number and number of threads.
Now, what I want you to take care of is the way you input strings. This may seem foolish, but I didn’t know at the time how to do so.
So if anyone is as dumb as me, use
Just in case you need to know it.
Prepare the hostent structure’s data
So, we have a structure specially dedicated to the host details and so now, we’ll fill some details in it.
Just in a single line. Are you ready?
host = gethostbyname(hostName.data());
Our structure is done now.
So, to break it down, we did two things here.
First, we converted the string to char*, because we’ll have to abide by the parameter type of the function.
And then secondly, we simply converted the entered domain name to its corresponding IPv4 address. If you don’t know IPv4, just leave it and focus here.
But by the way, how do you even know about slow loris if you don’t know what IPv4 is? Surprising folks are everywhere these days.
Prepare the socket address structure
So, we need to fill in three things in this structure, so bear with me, please.
1. Port number
The structure has a sin_port property whose value we have to assign. Simple, right?
Although it’s a one-liner, it can still give you nightmares. Are you ready?
Here we go:
socket_address.sin_port = htons(strtoul(port.data(),NULL,0));
Whoa whoa whoa! That’s messy, right?
Take a few deep breaths and now let’s break it down.
The first thing we did was convert port from string to char*, as we did earlier with hostname.
Same reason. Parameter type.
Then we convert it from string, or char*, to unsigned long integer using the function strtoul()
Once we’ve accomplished that we have done some seriously creepy stuff. Do you know about the host and network addresses?
I hope yes.
So the port number was converted to its corresponding network address using the function htons(). And so we finally have the port number prepared to be entered into the structure.
2. Host address
Now, this should be expected. We need to provide the host address or else how would socket know where to connect.
Again a messy one.
socket_address.sin_addr.S_un.S_addr = *(PULONG)host->h_addr;
So well, this makes use of the host structure we previously saw. Don’t ask me what it means, because even I don’t know that.
TIP: use #define HOST sin_addr.S_un.S_addr and then socket_address.HOST to make your code a bit more readable.
Finally something simple. We set the family to IPv4 by simple writing
socket_address.family = AF_INET;
Don’t ask me how AF_INET is IPv4, it’s Microsoft-ish.
Now it’s time for some serious fun.
Heard of multi-threading, we’re gonna implement it in C++. Now that’s a whole new badass level 8-)
We simply iterate in a loop and create as many threads as the user wanted using the CreateThread() method.
This method would call a function, that we’ll write just now and pass the socket address that we’ve prepared as an argument.
The soul of this program, the function that will run on multiple threads and make multiple slow loris requests to the server.
Now again, we have this divided to reduce complexity
1. Variables and structures
So, what all according to you are needed to implement this?
A socket address, good. An actual socket, great. And a garbage value to send again and again.
But, if you’re new, then to your surprise, we’ll need a header too to send to the server telling that it’s a GET request over HTTP.
So repeating the request, again and again, is something that keeps the attack going. And by the way, what do we need for that, “Infinite loops”.
Yes, you’re right, infinite loops.
So, we’ll have our first infinite loop create at this moment and then within it will go the following.
First of all, a socket will be created using the socket() constructor.
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
This creates a stream socket working on IPv4 and TCP protocol.
Once we have our socket, we’ll prepare our header and the garbage char.
char header = “GET /”;
char garbage = ‘a’;
3. Connect to the host
With all the prerequisites, we’re ready to roll and go.
We’ll now simply connect to the host using the connect function.
sockaddr_in *socket_address = (sockaddr_in*)p;
That was scary, wasn’t it?
So what we did was, pass the socket s, converted the parameter p we got from the main function to appropriate type, passed it and it’s size to the connect function and so now, we
have established our connection.
4. Send the header
The server by now would be waiting for a header. Let’s tell that loser that we’ll have a GET request for him.
We’ll do this by using send() function.
Now, remember that header is a string that’ll have a ‘\0’ at its end by default. That’s why we did sizeof(header)-1 and not sizeof(header)
5. Another infinite loop
If everything is fine by now, then we have fooled the server and so would now simply send the garbage value again and again within another infinite loop using send() function as we did above.
Now, you would be thinking why we did &garbage while we had header in the send function above?
That’s because header was a pointer and garbage is a simple character.
And now, your slow loris tool is ready to conquer the servers.
PS:- There are places in this code where I’ve checked for errors and in case of errors, simply repeated the process in a loop. Visit slowLoris for the complete code.