[tor-bugs] #23527 [Internal Services/Tor Sysadmin Team]: Our web server is probably vulnerable to slowloris attack
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 15 06:01:55 UTC 2017
#23527: Our web server is probably vulnerable to slowloris attack
-----------------------------------------------------+-----------------
Reporter: gk | Owner: tpa
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------------------------------+-----------------
We got a HackerOne bug report about some web server vulnerability (it
seems to be not hardened against slowloris attacks):
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open
and hold
| them open as long as possible. It accomplishes this by opening
connections to
| the target web server and sending a partial request. By doing so, it
starves
| the http server's resources causing Denial Of Service.
See the attachment for more information about what they tested
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23527>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list