Full Disclosure mailing list archives
Re: Web Application DoS
From: Goetz Von Berlichingen <goetzvonberlichingen () comcast net>
Date: Wed, 01 Dec 2004 10:46:58 -0700
kcope wrote:
+-----------------------------------+ | Web Application Denial of Service | +-----------------------------------+ There is a denial of service condition not in a specific software product but in several web based applications. The idea is to make a rather small HTTP request and get a big amount of data back from the HTTP daemon.
Congratulations, you've discovered an application layer (Layer 7 for the OSI fans) denial of service attack. That first sentence is somewhat sarcastic, but this is not a new discovery. Now you need to generalize this to other applications. What about databases (although you implied one in your example of a web search application)? Even without a web front-end, databases are particularly susceptible to these. If one understands details such as space allocation and indexing formulas of a database, one can make a single query use up a totally disproportionate amount of resources. What about GUIs? Good displays require a lot of math to achieve those wonderful effects we all love. What about distributed applications? Can you pretend to be a client and force the server to thrash? How about pretending to be the server and making the client use up the computer's memory or processing power? Have fun but do it to increase the surety of systems - not for your own profit or amusement.
Goetz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Web Application DoS kcope (Nov 30)
- Re: Web Application DoS Goetz Von Berlichingen (Dec 01)
- <Possible follow-ups>
- RE: Web Application DoS David Taylor (Nov 30)
- RE: Web Application DoS Lachniet, Mark (Dec 01)
- Re: Web Application DoS kcope (Dec 01)