Monero: DoS for remote nodes using Slow Loris attack

ID H1:416494
Type hackerone
Reporter sobhraj_charles
Modified 2019-02-21T17:44:52



Using the slow loris attack it's possible to make the the daemon unresponsive to all RPC requests without at least a restart.


I used this node.js application ( to perform the attack on one of my remote nodes, but any other implementation of the attack should also work fine.

Releases Affected:

  • Ubuntu 16.04 x64 - Monero v0.12.3.0 was affected so all releases before should be affected as well.

Steps To Reproduce:

  1. Start the daemon with standard remote node parameters like ./monerod --rpc-bind-ip --confirm-external-bind
  2. Start the slow loris attack, I tested with 1000 sockets opened and 700 milliseconds as rate at which packets should be sent.
  3. Try sending a normal RPC command like curl -X POST http://IP:18089/json_rpc -d '{"jsonrpc":"2.0","id":"0","method":"get_block_count"}' -H 'Content-Type: application/json' there will not be any response from the RPC a few seconds after the attack was started.


An attacker could target a large number of remote nodes for example the ones under, with just a single PC.