Preface: I am an undergrad Computer Science student about to graduate but I have little to no experience in web development and PHP in particular. Apologies for lack of familiarity.
Background: I am looking to create a simple DoS vulnerability on my own local PHP server which is running XAMPP on a Linux (18.04) 64-bit virtual box machine. In order to ensure I'm not just boosting CPU usage on the virtual machine by local activity, I am running another virtual machine where I use a Python script along with the "requests" library to request the vulnerable page 10,000 times in a loop. As of right now, the vulnerable page (dos.php) runs a loop where it appends a random number to a list and then echo's the hash of a generic text line which are completely unrelated apart from supposedly being CPU intensive.
Issue: I learned that I could output the memory and CPU usage to the browser (via https://devdojo.com/tutorials/how-to-get-memory-and-cpu-usage-in-php). The problem is that I haven't been able to get the CPU usage on the server above about 4%... Memory sits at roughly 30%. However, I know that I am doing some small piece correctly because I am seeing an increase from 0-1% to that number of 4% but nothing beyond that.
The end goal is to demonstrate a proof-of-concept where I show that a fuzzer (SlowFuzz) can find this vulnerability if pointed at the PHP document. Once I have a DoS vulnerability I plan to write a very simple and intentionally broken function. Something like a loop in which the user defines the upper bound.
Here is a picture of the PHP on dos.php: PHP Code
Thank you in advance for your help! Hope this isn't too silly of a question.
Apache can be easily DoS'ed by filling it's request queue with slow reading clients.
Apache has a configured maximum of simultaneously connected clients, and by default does not enforce a minimum read speed to clients, so reading the response at 1 byte/sec would hold the connection open very long and reduce the amount of reconnects needed by your DoS tool while also reducing the chance for a regular client to come through.
Modern Apache setups will drop clients that read too slowly or reject excessive connections from the same address to prevent this kind of attack. I'm not sure if a default XAMPP installation includes this.
