[tor-bugs] #23527 [Internal Services/Tor Sysadmin Team]: Our web server is probably vulnerable to slowloris attack

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 15 15:25:38 UTC 2017

#23527: Our web server is probably vulnerable to slowloris attack
 Reporter:  gk                                   |          Owner:  tpa
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by dcf):

 BTW [https://nmap.org/nsedoc/scripts/http-slowloris-check.html http-
 slowloris-check] is an Nmap script. You can try to reproduce it yourself
 using this command. When I tried it just now, it didn't detect any
 vulnerability, even against the same IP address as in attachment:tor.PNG,
 $ nmap -p 80,443 --script http-slowloris-check www.torproject.org

 Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-15 08:22 PDT
 Nmap scan report for www.torproject.org (
 Host is up (0.18s latency).
 Other addresses for www.torproject.org (not scanned):
 2001:41b8:202:deb:213:21ff:fe20:1426 2001:6b0:5a:5000::5
 2620:0:6b0:b:1a1a:0:26e5:4810 2a01:4f8:172:1b46:0:abba:5:1
 rDNS record for listera.torproject.org

 80/tcp  open  http
 443/tcp open  https

 Nmap done: 1 IP address (1 host up) scanned in 24.16 seconds
 You can see what the script is doing in its source code:
 https://svn.nmap.org/nmap/scripts/http-slowloris-check.nse. You can get
 more debugging output using the `-d` option, like `[http-slowloris-check] Time difference is: 0`.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23527#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list