Monthly Archives: May 2013

Sin 4

So, I thought I would present some of my projects, starting with Sin.


Sin is a simply a very flexible denial of service tool, or rather, it’s a very small DoS handler.
Sin itself doesn’t take down servers, but the plugins that you write for Sin, do.
A user specifies a DoS plugin to use, like Slowloris for example, and then send some arguments to Sin that are specific for that plugin (there are tools in Sin to help with figuring all this out), when Sin gets the “–plugins ” argument, it will check in a folder called “plugins” for a matching plugin.
If one is found, Sin will load the plugin and send the arguments to it, and from there on it’s out of Sin’s hands.
So the core of the Sin project was just a way to organize the DoS tools a bit and keep them all under the same roof (and because I like to implement the different methods of denial of service).

The name Sin comes from the big monster from Final Fantasy X.
Not the best in the series, but still a pretty good game (I think I like FFIX the most so far).

The Sin project was started around mid 2011, and was first written completely in C.
Here’s the help menu of the last version I made

~= Sin – Low Bandwidth Denial of Service 1.8.8a =~
Before you continue any further, it’s highly
recommended that you read the user manual.

Usage example: ./Sin -h -p 80 -m 1 -c 5 -t 1000 -it 0

–help – This menu
-h <host/ip> – Host or IP of the target (Default
-p <port> – Port of the target (Default 80)
-m <method> – Method of attack (Default 0)
-c <connections>- Number of connections per thread (Default 5)
-t <threads> – Number of threads to use in attack (Default 1000)
-to <sec> – Timeout in seconds between data sending (default 10)
-tc <sec> – Time between Tor/Socks5 identity change (default 5)
-tcpto <sec> – TCP Timeout (default 5)
-v – Verbose mode

1 – Null bytes
2 – HTTP reversed proxy
3 – HTTP half header data keep alive (slowloris)
4 – SMTP helo
5 – GET+HOST header data
Help finished, exiting

It was mostly an experiment with different Slowloris-like attacks, but it was a lot of fun ;-).
I have decided for some time now that I wanted to rewrite Sin with a better structure and make it easier to write new methods of DoS, without screwing up the other methods or the core of Sin.
A few weeks back I finally finished my planning (I use paper and whiteboards to plan my projects, out of old uni habit) for the next version of Sin, which I have chose to call Sin 4, because of 2 previous attempts to rewrite the structure after the first version in C was dropped (it became too annoying to maintain all that code, since I didn’t really have a structure for it planned out at start, which made it very messy).

After the planning was done, I started coding.
The choice of language landed on Java, since I wanted to keep up to date with Java coding because of work, so it seemed like a pretty good choice.
The core of Sin took about 2-3 days to finish, with an estimate of 4-5 hours per day of coding, so wasn’t much work really.

Here’s the help menu from the public version of Sin 4

[+] Sin version 4.1 starting
–plugin / -p <plugin> – Specify plugin, depends on –args
–help / -h [plugin] – Bring up this menu, or specify plugin for specific plugin help menu
–args / -a <arguments> – Specify arguments for plugin
–test / -t – Specify that the test for the specified plugin should be run
–list / -l – List all plugins
–version / -v [plugin] – Show the Sin version, or specify plugin for specified plugin version

I have decided to remove the –args option and rewrite the whole argument parsing, since it has turned out to be too messy to use, so I will use a more common method of doing it.
The current format of arguments passed to the plugins are “host:port:timeout:optional…and so on”, but yeah that’s didn’t turn out well, so I will go back to the more common method of doing “–plugin Slowloris –host –port 80 –timeout 10 –optional stuff”, which I should have used from the start really.

Anyway, so the first plugin I started to write, was a simple implementation of Slowloris.
And for those who don’t know, Slowloris is kind of like standing in line at McDonalds, and when you order you keep adding things to your order for an infinite amount of time.
Obviously in reality they would get pissed off at McDonalds and kick you out, which is what patched servers will do if you try this.
But technically speaking then, Slowloris means that you open a bunch of connections to a server, and then you keep sending header data for timeout-sometime, prolonging the timeout infinitely and never finishing the request. Some servers will fill their connection pool because of this (mostly threaded servers with very limited connection pool) and be put in denial of service.
Some of the known software to be affected are, but not limited to:

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

List taken from

I took out the unconfirmed ones, as they are, unconfirmed πŸ™‚

The Slowloris method has been known for a few years now, but it’s pretty rare that people care about it and protect themselves, so it’s still pretty used out on the wild Internet.
When people do indeed protect themselves, some common methods of protection are:

  • Lowering the timeout
  • Limiting clients to X connections only (to prevent Slowloris connection flood, this is rather easy to work around though with proxies or botnets)
  • Cutting connection for clients that take too long to send headers (not the same as lowering the timeout in general)

That was a pretty brief explanation, but I will go into more depth on how to prevent this sort of attack in practice in another post.

Slowloris is far away from the only plugin that I have implemented so far (And I had a good friend help me as well with implementing a few others, and more will come).
Here’s some output from another one of the plugins that have been implemented:

[+] Sin version 4.1 starting
[+] Loading plugin ‘Slowread’
[+] Slowread test initiating ..
[+] Connecting to on port 80
[+] Connected to
[+] Request sent
[+] Normal timeout took 15 seconds
[+] Connecting to on port 80
[+] Connected to
[+] Request sent, reading 28 bytes of the response (3 times)
[+] This can take up to 3 times the initial timeout
[+] Host seems vulnerable!
[+] Normal timeout: 15
[+] Extended timeout: 21

And no, just because I attacked my own blog, doesn’t mean you should πŸ™‚
I haven’t protected my blog against these attacks yet you see.

I will cover the rest of the plugins as well in another post, as well as post some more detailed data about how it works and how it affects different servers.
Some plugins that have been implemented, are other type of DoS exploits like buffer overflows and so on.
Those plugins don’t try to exploit any vulnerability to gain access to a service of some sort, since that has never been the point of Sin.
The point has always been, and always will be, to put servers in a state of denial of service, and to help security researchers and server administrators to understand how these attacks work and how to protect themselves against it (Yes, I know this is all old news for most people, but I still enjoy it and find my work useful).

Oh, and so far Slowloris is the only plugin available to the public, which kind of makes my previous statement useless.
But the idea is that Sin, including all the plugins, will be released one day.

For now you can get Sin and the Slowloris plugin over at my github page:

If you look at the github page, you will notice that there’s something called “SinPluginAPI” in there.
That’s what is used to write your very own Sin plugin, hooray!
I will cover that later as well, how to write one and so on πŸ™‚

That’s all for now!

The blog hosted on a Raspberry PI

[code language=”c”]

#include "stdio.h"
int main()
printf("hello world!\n");
return 0;

Since this is my first post on this blog, I thought I’d start with an introduction of me and this blog, how it’s hosted and so on.

My name is Jimmy Ramsmark, and I’m a Software Engineer working at Avalon Innovation.
I currently live in MalmΓΆ/Sweden with my wife and 2 cats, which is also the city where I work.

My main hobby is programming, with a rather strict focus on IT-security.
I research a lot about about different security related topics, but the past 2 years it has been almost completely related to different types of cyber criminals and how they act, what methods they use and so on. Pedophiles that operate online are cyber criminals in my book, and thus they have been, and still are, included in my hunt for information and evil-doers online.
I’m always in need of something exciting to research about, and I like to think that my work helps someone, and that’s probably the reason why I have turned my attention so much towards cyber crime in recent years, in hope that I will be able to do some good eventually, and not just play around, wasting my time.

This focus has resulted in a few pretty interesting projects (although not very unique), some of them being publicly available:

Momohime – A torrent monitor that simply uses a torrent client library to monitor a specified torrent, and save down all information about it and its clients.
Such a program could be useful when someone wants to keep an eye on torrents used by cyber criminals to spread their material (or, as the original idea was, to keep an eye on pedos spreading their material)

Sin – A pluggable Denial of Service tool.
The tool itself is rather simple, and only handles a very limited amount of operations, while leaving the rest to the plugins.
The plugins are different methods to put a service of some sort in a denial of service condition.
Some of the methods included are Slowloris, Slowpost, Slowread, Slowrequest and a few others that haven’t been named yet.
The only plugin available in the git repository is the Slowloris one.

Mont – A simple target system.
This is just a list really, where you can enter your “targets”, which are displayed in a fancy table.
The status of the target is displayed as well, if the service is online or offline (I guess you could say it’s a very simple Nagios wannabe).
I made it because I needed something very simple to keep an eye on a bunch of sites, when they were offline and so on.

That’s 3 of my projects at least, which are also the most important ones right now.
Anyway, so about this blog.
On this blog I will write about all my projects, the code I write and so on.
I will also write about other subjects that interest me, mostly science related topics though.
Not because I expect anyone to read it, but simply because it’s a way for me to get things out of my head and down on a digital piece of paper.
The reason I put it here and not on a real piece of paper, is because I ignorantly believe that I will save more trees this way, and that this machine is run by solar power or a nuclear reactor powered by Thorium.

The blog itself is run on a Raspberry PI which I bought specifically for this blog.
The Raspberry PI, for those who are too lazy to click the link, is a very tiny computer with great potential.
Working so much with security has made me a bit paranoid, not always trusting the services that I run (I always keep everything up to date, but that doesn’t always help, does it?), so I didn’t want to keep something as insecure as WordPress on any of my other servers, and thus I put this tiny Raspberry on an isolated network all alone, and with pretty tight security settings, to minimize the risk of endangering my other services. So even if someone finds a zero day vulnerability in WordPress and for some reason wants to take down my blog and get into my poor Megumi (that’s what I named the Raspberry PI), then at least they wont get much further than the RasPI.

The RasPI (Megumi) safely stored behind the TV
2013-05-22 17.44.07

Anyway, that’s all I have to say for now πŸ™‚
More to come!