Skip to content

geuis/node-splat

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

Splat is intended to be a demonstration of the HTTP POST Denial of Service attack described on http://www.acunetix.com/blog/web-security-zone/articles/http-post-denial-service/.
This script is not meant for nefarious purposes but rather to educate and for testing.
It is intended to demonstrate how opening lots of simultaneous POST connections to a server, specifying a long Content-Length, and feeding data to the server slowly can cause a mis-configured server to be made unresponsive.

There's no license on this thing. The author takes no freaking responsibility for what dumbasses decide to do with what is a very basic script that took the author a few minutes to write. Use at your own risk, don't bother the author about it, feel free to fork it, pork it, or whatever you want.

USAGE:
1) Customize the "url" variable to a domain. DO NOT USE http:// or https://
2) Set "max_connections" to how many simultaneous connections you want to open. 125 is recommended or Node might freak out.
3) Set "length" to the total number of bytes that should be sent over time. Each byte is sent once per second.
4) Run it from your terminal in the node-splat directory, "node app.js"
5) If you don't know what Node.js is, go to http://nodejs.org

Running more than 125 max_connections tended to make node.js on the dev system crash. You may be able to do more. Run multiple instances (separate terminal windows on a Mac) to achieve the desired effect.
On the test system (Mac Pro), Apache on localhost stopped responding with 250 connections. The author's website running on lighttpd handled up to about 1125 simultaneous connections before hanging.

About

simple HTTP POST denial of service example

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published