| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41AE0392.3030507@comcast.net> From: goetzvonberlichingen at comcast.net (Goetz Von Berlichingen) Subject: Web Application DoS kcope wrote: > +-----------------------------------+ > | Web Application Denial of Service | > +-----------------------------------+ > There is a denial of service condition not in a specific software product > but in several web based applications. > The idea is to make a rather small HTTP request and get a big amount of > data back from the HTTP daemon. Congratulations, you've discovered an application layer (Layer 7 for the OSI fans) denial of service attack. That first sentence is somewhat sarcastic, but this is not a new discovery. Now you need to generalize this to other applications. What about databases (although you implied one in your example of a web search application)? Even without a web front-end, databases are particularly susceptible to these. If one understands details such as space allocation and indexing formulas of a database, one can make a single query use up a totally disproportionate amount of resources. What about GUIs? Good displays require a lot of math to achieve those wonderful effects we all love. What about distributed applications? Can you pretend to be a client and force the server to thrash? How about pretending to be the server and making the client use up the computer's memory or processing power? Have fun but do it to increase the surety of systems - not for your own profit or amusement. Goetz
Powered by blists - more mailing lists