[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0FD9D979B9535D4890AE309799B6D1E59DA440@lansingemail.seqnt.com>
Date: Wed, 1 Dec 2004 15:49:08 -0500
From: "Lachniet, Mark" <mlachniet@...uoianet.com>
To: <full-disclosure@...ts.netsys.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Web Application DoS
> +-----------------------------------+
> | Web Application Denial of Service |
> +-----------------------------------+
> There is a denial of service condition not in a specific software
> product but in several web based applications.
> The idea is to make a rather small HTTP request and get a big amount
> of data back from the HTTP daemon.
Ummm... Duh...
BUT, it does raise an interesting problem from a design and testing
point of view. I do a lot of web application tests, many of them with
automated tools like SPI. In most cases, it is very easy to crash web
apps that rely on a database back end. In fact, it's a big problem when
it comes to testing production servers. Most small to medium web sites
just don't seem to take 15+ query threads at a time very well,
especially when you are doing complicated queries (10+ variables, etc.)
It is trivially easy to find (for example) a URL request that takes a
long time for the query to return (say, 10 seconds or more) and then
hammer it with a zillion requests using a simple script. Not only can
the database server platform get choked up with requests that it cannot
service, but in some cases you can use up all of your licenses too. You
might also use such a technique to mess up some logging systems if you
are lucky (ie, if it logs audit data to a database). This problem is
made worse by the fact that many folks don't use stand-alone database
servers for just their web applications, and instead get one "big"
database, and use it for a variety of purposes. In this case, you could
likely crash more than just the one web app.
If it were an IP network issue, I'd say to do some QoS, but is there a
good design equivalent of this commonly in use for n-tiered web
applications? (for example, building into the web application some
logic that maintains a state table of requests, and ensures that single
source IP doesn't get more than 1 database lookup thread, or something
similar). If there is some good example code for something like this,
I'd love to share it with my customers. This subject might also be a
good addition to the OWASP guide, which (while and excellent piece of
work) doesn't seem to cover much in the way of Denial of Service
prevention as far as I know.
Thanks,
Mark Lachniet
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists