• Anirudh Duggal

How to implement slow loris in C++?


Photo by Clément H on Unsplash


Are you a Windows user who is interested in pen-testing or the cyber world, but don’t have enough resources? Or are you someone with a windows machine interested in learning to make cyber weapons but don’t know how to?


Well, the thing is that we, the windows users, are discriminated a lot in this world of open-source. But hey! Even windows enable you to do all of these.


So what if you can’t find pre-built tools, wouldn’t it be fun to make our very own tools?


So, let’s begin on our journey of making a slow loris attack tool on windows!


What is Slow Loris?


Slow loris is a DoS attack that is difficult to identify and to our benefit, simple to implement!


As the name suggests, this attack attacks very slowly. So slowly that the server is fooled and he pities us. But little does he know, we’re here to crash him!


That was enough though. LOL.


So, in slow loris, we generally send a lot of requests to a server to crash it. But that’s what almost all DoS attacks do?


What separates slow loris attack from the rest of them is the fact that it is very deceiving.


While others can be easily detected, slow loris attack makes itself look genuine and decent request for resources from the server.


How does slow loris work?


Every server has a timeout after which it closes the connection. With slow loris, we exploit this time frame!


Basically, in slow loris we send out multiple requests to the server, some garbage value to be very frank, and then wait.


Just before the server is about to close the connection due to timeout, we send the same garbage value again.


So, the server is deceived into believing that we are sending request, but have a very poor internet connection. So it holds on to the connection.


We repeat this every time the connection is about to be closed and soon we would have had one of its connection reserved for us, simply because we are not leaving it and it cannot kick us out like in other DoS attacks.


Just imagine how dreadful it would become if any and every connection the server could establish is acquired by such processes?


The server would crash!


And that’s exactly what we call slow loris. So in basic terms, it slowly but steadily eats all of the server’s bandwidth and starves it to death.


How to make your own slow loris program in C++


Get the right header files


This is quite basic to think but this is what got me hours to figure out. If you are new to network and socket programming like I was, then probably you need to read this section.


Else, you can skip this section without any regrets.


Here’s a list of header files that we need to get our program started.


<stdio.h>


Perhaps it was not worth mentioning, but still mentioned it to prevent any sort of confusion. This header file is the most basic we use in C/C++ programming for basic stuff.


<iostream>


If you have been working on C++ for a while then you would be knowing why I asked you to include this. For cin and cout.


<string>


We’ll need to have to do some string operations due to the input that we’ll get from the user.


<winsock2.h>


Ah hah! Here comes the game changer. If you are new to socket programming then remember the name of this header file and make it your best friend. Any and every program that you’ll be writing from now on using some network functionalities of windows would need winsock2.h


It’s the most essential header file for this program


Note :- For this program you would need to dynamically link ws2_32.lib library. Link it as #pragma comment(lib,”ws2_32.lib”)


Declare variables and structures


Well, now this part goes inside the main function. You need two things that’ll act as the backbone of the entire program and you guessed it right, variables and structures.


Now, this code will have a function other than the main function, but its declarations will be discussed later.


So, let’s think about what do we need to make our program work?


Input from the user should be the first thing that comes to your mind.


And, what all would this input have?


It would have three things,

  1. Target host

  2. Port number

  3. Number of threads

The last two things are mostly the same, port number 80 and 1000 threads. But just to make our tool a lot more flexible, we give the user the privileged feeling of entering them.


The illusion of choice as they say. ;)


Since we would be getting all of these from the user, they would be in the form of strings.


What about a counter? That’s the favorite thing we all have because every program has one.


So here we have a counter i, but, that’s not integer type but rather it’s an “unsigned long integer”. Royal one.


In Microsoft-ish, the language of Microsoft, we call it ULONG.


Now, I would recommend that you study about sockets a bit, but if you don’t know, don’t worry, even I didn’t know about them at the time of writing this tool.


After that, we need to have a structure for holding the socket address. If you don’t know what that means, in simple terms, I’m saying the information on how and whom to connect.


Then comes the serial killer of all times, WSADATA. Now that’s again something in Microsoft-ish, but I like to think of it as some sort of handle to our socket. And you need to have it if you wish to use sockets


Next, we need a structure for storing the host’s details. For this purpose, we use hostent structure. Another Microsoft shit, but it’s a nice one though.


Get Users Input


So, the simplest step. Get users to enter all the things we want them to take care of and they are, once again, target host, port number and number of threads.


Now, what I want you to take care of is the way you input strings. This may seem foolish, but I didn’t know at the time how to do so.


So if anyone is as dumb as me, use


getline(cin,variable_name);


Just in case you need to know it.

Prepare the hostent structure’s data


So, we have a structure specially dedicated to the host details and so now, we’ll fill some details in it.


Just in a single line. Are you ready?


host = gethostbyname(hostName.data());


Our structure is done now.


So, to break it down, we did two things here.


First, we converted the string to char*, because we’ll have to abide by the parameter type of the function.


And then secondly, we simply converted the entered domain name to its corresponding IPv4 address. If you don’t know IPv4, just leave it and focus here.


But by the way, how do you even know about slow loris if you don’t know what IPv4 is? Surprising folks are everywhere these days.


Prepare the socket address structure


So, we need to fill in three things in this structure, so bear with me, please.


1. Port number


The structure has a sin_port property whose value we have to assign. Simple, right?


Wrong!


Although it’s a one-liner, it can still give you nightmares. Are you ready?


Here we go:


socket_address.sin_port = htons(strtoul(port.data(),NULL,0));


Whoa whoa whoa! That’s messy, right?


Take a few deep breaths and now let’s break it down.


The first thing we did was convert port from string to char*, as we did earlier with hostname.


Why?


Same reason. Parameter type.


Then we convert it from string, or char*, to unsigned long integer using the function strtoul()


Once we’ve accomplished that we have done some seriously creepy stuff. Do you know about the host and network addresses?


I hope yes.


So the port number was converted to its corresponding network address using the function htons(). And so we finally have the port number prepared to be entered into the structure.


2. Host address


Now, this should be expected. We need to provide the host address or else how would socket know where to connect.


Again a messy one.


socket_address.sin_addr.S_un.S_addr = *(PULONG)host->h_addr;


So well, this makes use of the host structure we previously saw. Don’t ask me what it means, because even I don’t know that.


TIP: use #define HOST sin_addr.S_un.S_addr and then socket_address.HOST to make your code a bit more readable.


3. Family


Finally something simple. We set the family to IPv4 by simple writing


socket_address.family = AF_INET;


Don’t ask me how AF_INET is IPv4, it’s Microsoft-ish.


Making threads


Now it’s time for some serious fun.


Heard of multi-threading, we’re gonna implement it in C++. Now that’s a whole new badass level 8-)


We simply iterate in a loop and create as many threads as the user wanted using the CreateThread() method.


This method would call a function, that we’ll write just now and pass the socket address that we’ve prepared as an argument.

SlowLoris() function


The soul of this program, the function that will run on multiple threads and make multiple slow loris requests to the server.


Now again, we have this divided to reduce complexity


1. Variables and structures


So, what all according to you are needed to implement this?


A socket address, good. An actual socket, great. And a garbage value to send again and again.


But, if you’re new, then to your surprise, we’ll need a header too to send to the server telling that it’s a GET request over HTTP.


2. Loops


So repeating the request, again and again, is something that keeps the attack going. And by the way, what do we need for that, “Infinite loops”.


Yes, you’re right, infinite loops.


So, we’ll have our first infinite loop create at this moment and then within it will go the following.


First of all, a socket will be created using the socket() constructor.


s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);


This creates a stream socket working on IPv4 and TCP protocol.


Once we have our socket, we’ll prepare our header and the garbage char.


char header[] = “GET /”;

char garbage = ‘a’;


3. Connect to the host


With all the prerequisites, we’re ready to roll and go.


We’ll now simply connect to the host using the connect function.


sockaddr_in *socket_address = (sockaddr_in*)p;

connect(s,(sockaddr *)socket_address,sizeof(socket_address);


That was scary, wasn’t it?


So what we did was, pass the socket s, converted the parameter p we got from the main function to appropriate type, passed it and it’s size to the connect function and so now, we

have established our connection.


4. Send the header


The server by now would be waiting for a header. Let’s tell that loser that we’ll have a GET request for him.


We’ll do this by using send() function.


send(s,header,sizeof(header)-1,0);


Now, remember that header is a string that’ll have a ‘\0’ at its end by default. That’s why we did sizeof(header)-1 and not sizeof(header)


5. Another infinite loop


If everything is fine by now, then we have fooled the server and so would now simply send the garbage value again and again within another infinite loop using send() function as we did above.


while(1) {

send(s,&garbage,sizeof(garbage),0);

}


Now, you would be thinking why we did &garbage while we had header in the send function above?


That’s because header was a pointer and garbage is a simple character.


And now, your slow loris tool is ready to conquer the servers.


PS:- There are places in this code where I’ve checked for errors and in case of errors, simply repeated the process in a loop. Visit slowLoris for the complete code.

Please Note
Join our mailing list

© 2023 by I Made It!. Proudly created with wix.com