lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <41AE0392.3030507@comcast.net>
Date: Wed, 01 Dec 2004 10:46:58 -0700
From: Goetz Von Berlichingen <goetzvonberlichingen@...cast.net>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Re: Web Application DoS


kcope wrote:
> +-----------------------------------+
> | Web Application Denial of Service |
> +-----------------------------------+
> There is a denial of service condition not in a specific software product
> but in several web based applications.
> The idea is to make a rather small HTTP request and get a big amount of
> data back from the HTTP daemon.

   Congratulations, you've discovered an application layer (Layer 7 for 
the OSI fans) denial of service attack.  That first sentence is somewhat 
sarcastic, but this is not a new discovery.  Now you need to generalize 
this to other applications.
   What about databases (although you implied one in your example of a 
web search application)?  Even without a web front-end, databases are 
particularly susceptible to these.  If one understands details such as 
space allocation and indexing formulas of a database, one can make a 
single query use up a totally disproportionate amount of resources.
   What about GUIs?  Good displays require a lot of math to achieve 
those wonderful effects we all love.
   What about distributed applications?  Can you pretend to be a client 
and force the server to thrash?  How about pretending to be the server 
and making the client use up the computer's memory or processing power?
   Have fun but do it to increase the surety of systems - not for your 
own profit or amusement.

Goetz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ