lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <34C89D7601A13A4F849DEEAC309D7817953BA8@wsxch01.hq.austrac.gov.au>
Date: Wed, 1 Dec 2004 09:57:50 +1100
From: "David Taylor" <David.Taylor@...trac.gov.au>
To: "kcope" <kingcope@....net>, <bugtraq@...urityfocus.com>,
   <full-disclosure@...ts.netsys.com>
Subject: RE: Web Application DoS


 Stop press : Urban road DDOS attack

If you get a lot of cars and have them all on the road at the same time, the road won't be able to handle it.

M@nga


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of kcope
Sent: Wednesday, 1 December 2004 6:59 AM
To: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Web Application DoS

+-----------------------------------+
| Web Application Denial of Service |
+-----------------------------------+
There is a denial of service condition not in a specific software product
but in several web based applications.
The idea is to make a rather small HTTP request and get a big amount of
data back from the HTTP daemon.
The HTTP protocol for a client could be as simple as a normal one line GET
request for a specific web site on the server.
Now let´s take the example of a search engine on a web site.
Most times one will be able to search for just an ``A`` and get back a
big result set of the data searched inside the information database.
Of course the result set will be limited in good search applications.
But if it is possible to manipulate the amount of results to a very high
value and there is much information stored in the database the result
set is very big and therefore the answer from the http daemon will also
seem endless if no timeout is set.
If one finds a way to manipulate this GET or POST request and automates the
process through a very simple script which just loops over and over
making this request the http daemon will not be able to handle its own
reponse
data. The result is that the website is not reachable anymore because the
server
is busy sending back nonsense data to the client (which will not wait for
any but
only makes small requests). I guess this works regardless of the underlying software running on the website, even powerful Sun Applications seem to be
vulnerable.
It should be mentioned that it has not to be a search application. Other
server side scripts
may be manipulated also to give the same effect. The only thing needed is
that after
a small request the http server is convinced to answer with an endless
stream of bytes.
No ultra fast connection is needed to make a rather big server with large
connection bandwidth unavailable.
No throughout test was done so this could be a false positive.
But by testing even ``important`` business sites didn`t like this type of
DoS.

kcope 2k4
kingcope[at]gmx.net

-- 
Geschenkt: 3 Monate GMX ProMail + 3 Top-Spielfilme auf DVD
++ Jetzt kostenlos testen http://www.gmx.net/de/go/mail ++

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
Please  note  that  your  email address  is known to  AUSTRAC  for the
purposes  of  communicating with you.  The information  transmitted in
this  e-mail is  for the  use of  the intended  recipient only and may
contain confidential and/or legally  privileged  material. If you have
received  this information  in error you must not disseminate, copy or
take  any  action on  it and we  request that you delete all copies of
this transmission together with attachments and notify the sender.

This footnote also confirms that this email message has been swept for
the presence of computer viruses.
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ