Sin 4

So, I thought I would present some of my projects, starting with Sin.

Sin is a simply a very flexible denial of service tool, or rather, it’s a very small DoS handler. Sin itself doesn’t take down servers, but the plugins that you write for Sin, do.
A user specifies a DoS plugin to use, like Slowloris for example, and then send some arguments to Sin that are specific for that plugin (there are tools in Sin to help with figuring all this out), when Sin gets the “–plugins ” argument, it will check in a folder called “plugins” for a matching plugin.
If one is found, Sin will load the plugin and send the arguments to it, and from there on it’s out of Sin’s hands.
So the core of the Sin project was just a way to organize the DoS tools a bit and keep them all under the same roof (and because I like to implement the different methods of denial of service).

The name Sin comes from the big monster from Final Fantasy X.
Not the best in the series, but still a pretty good game (I think I like FFIX the most so far).

The Sin project was started around mid 2011, and was first written completely in C.
Here’s the help menu of the last version I made

~=============================================~
~= Sin - Low Bandwidth Denial of Service 1.8.8a =~
~=============================================~
Before you continue any further, it's highly
recommended that you read the user manual.

Usage example: ./Sin -h 127.0.0.1 -p 80 -m 1 -c 5 -t 1000 -it 0

Options:
--help - This menu
-h <host/ip> - Host or IP of the target (Default 127.0.0.1)
-p <port> - Port of the target (Default 80)
-m <method> - Method of attack (Default 0)
-c <connections>- Number of connections per thread (Default 5)
-t <threads> - Number of threads to use in attack (Default 1000)
-to <sec> - Timeout in seconds between data sending (default 10)
-tc <sec> - Time between Tor/Socks5 identity change (default 5)
-tcpto <sec> - TCP Timeout (default 5)
-v - Verbose mode

Targets/Methods:
1  - Null bytes
2  - HTTP reversed proxy
3  - HTTP half header data keep alive (slowloris)
4  - SMTP helo
5  - GET+HOST header data
Help finished, exiting

It was mostly an experiment with different Slowloris-like attacks, but it was a lot of fun ;-).

I have decided for some time now that I wanted to rewrite Sin with a better structure and make it easier to write new methods of DoS, without screwing up the other methods or the core of Sin.
A few weeks back I finally finished my planning (I use paper and whiteboards to plan my projects, out of old uni habit) for the next version of Sin, which I have chose to call Sin 4, because of 2 previous attempts to rewrite the structure after the first version in C was dropped (it became too annoying to maintain all that code, since I didn’t really have a structure for it planned out at start, which made it very messy).

After the planning was done, I started coding.
The choice of language landed on Java, since I wanted to keep up to date with Java coding because of work, so it seemed like a pretty good choice.
The core of Sin took about 2-3 days to finish, with an estimate of 4-5 hours per day of coding, so wasn’t much work really.

Here’s the help menu from the public version of Sin 4

[+] Sin version 4.1 starting
--plugin / -p <plugin> - Specify plugin, depends on --args
--help / -h [plugin] - Bring up this menu, or specify plugin for specific plugin help menu
--args / -a <arguments> - Specify arguments for plugin
--test / -t - Specify that the test for the specified plugin should be run
--list / -l - List all plugins
--version / -v [plugin] - Show the Sin version, or specify plugin for specified plugin version

I have decided to remove the –args option and rewrite the whole argument parsing, since it has turned out to be too messy to use, so I will use a more common method of doing it.
The current format of arguments passed to the plugins are “host:port:timeout:optional…and so on”, but yeah that’s didn’t turn out well, so I will go back to the more common method of doing “–plugin Slowloris –host 127.0.0.1 –port 80 –timeout 10 –optional stuff”, which I should have used from the start really.

Anyway, so the first plugin I started to write, was a simple implementation of Slowloris.
And for those who don’t know, Slowloris is kind of like standing in line at McDonalds, and when you order you keep adding things to your order for an infinite amount of time.
Obviously in reality they would get pissed off at McDonalds and kick you out, which is what patched servers will do if you try this.
But technically speaking then, Slowloris means that you open a bunch of connections to a server, and then you keep sending header data for timeout-sometime, prolonging the timeout infinitely and never finishing the request. Some servers will fill their connection pool because of this (mostly threaded servers with very limited connection pool) and be put in denial of service.
Some of the known software to be affected are, but not limited to:

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

List taken from http://ckers.org/slowloris/

I took out the unconfirmed ones, as they are, unconfirmed 🙂

The Slowloris method has been known for a few years now, but it’s pretty rare that people care about it and protect themselves, so it’s still pretty used out on the wild Internet.
When people do indeed protect themselves, some common methods of protection are:

  • Lowering the timeout
  • Limiting clients to X connections only (to prevent Slowloris connection flood, this is rather easy to work around though with proxies or botnets)
  • Cutting connection for clients that take too long to send headers (not the same as lowering the timeout in general)

That was a pretty brief explanation, but I will go into more depth on how to prevent this sort of attack in practice in another post.

Slowloris is far away from the only plugin that I have implemented so far (And I had a good friend help me as well with implementing a few others, and more will come).
Here’s some output from another one of the plugins that have been implemented:

[+] Sin version 4.1 starting
[+] Loading plugin 'Slowread'
[+] Slowread test initiating ..
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se
[+] Request sent
[+] Normal timeout took 15 seconds
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se
[+] Request sent, reading 28 bytes of the response (3 times)
[+] This can take up to 3 times the initial timeout
[+] Host seems vulnerable!
[+] Normal timeout: 15
[+] Extended timeout: 21

And no, just because I attacked my own blog, doesn’t mean you should 🙂
I haven’t protected my blog against these attacks yet you see.

I will cover the rest of the plugins as well in another post, as well as post some more detailed data about how it works and how it affects different servers.
Some plugins that have been implemented, are other type of DoS exploits like buffer overflows and so on.
Those plugins don’t try to exploit any vulnerability to gain access to a service of some sort, since that has never been the point of Sin.
The point has always been, and always will be, to put servers in a state of denial of service, and to help security researchers and server administrators to understand how these attacks work and how to protect themselves against it (Yes, I know this is all old news for most people, but I still enjoy it and find my work useful).

Oh, and so far Slowloris is the only plugin available to the public, which kind of makes my previous statement useless.
But the idea is that Sin, including all the plugins, will be released one day.

For now you can get Sin and the Slowloris plugin over at my github page: https://github.com/jra89/Sin

If you look at the github page, you will notice that there’s something called “SinPluginAPI” in there.
That’s what is used to write your very own Sin plugin, hooray!
I will cover that later as well, how to write one and so on 🙂

That’s all for now!