When running under Apache or NGINX servers, the default (and/or commonly accepted) configurations of PHP-FPM and
PHP-CGI (mod_fcgi) are easily susceptible to denial of service attacks.
This attack effects Apache or NGINX web servers that handle dynamic PHP content using either PHP-CGI or PHP-FPM (which
includes WordPress websites). In addition, the requests made by the attack will continue to keep the server’s resources
in use far past the end of the attack. In the case where PHP-CGI is in use, the Apache processes will spawn and max out
based on the serverLimit setting. It will take the web server a considerable amount of time to recover from this event.
It is also important to note that this attack has the same premise as Slowloris. The main difference is that Slowloris
focuses on eating up HTTP (apache) connections, while this attack focuses on eating up PHP-CGI or PHP-FPM connections
(within either Apache or NGINX).
Additional information and POC script download here:
https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/
First, download PHPStress from GitHub
or clone the repo:
git clone https://github.com/nightlionsecurity/phpstress phpstress
To execute the attack, set your target URL and time delay parameters and the script will do the rest. In order to achieve the results below, the script needs to be run using a 0 delay for request and delay parameters.
php phpstress.php www.targeturl.com -d 0 -r 0