Full Disclosure mailing list archives
Re: Web Application DoS
From: "kcope" <kingcope () gmx net>
Date: Wed, 1 Dec 2004 21:50:16 +0100 (MET)
Congratulations, you've discovered an application layer (Layer 7 for the OSI fans) denial of service attack. That first sentence is somewhat sarcastic, but this is not a new discovery. Now you need to generalize this to other applications. What about databases (although you implied one in your example of a web search application)? Even without a web front-end, databases are particularly susceptible to these. If one understands details such as space allocation and indexing formulas of a database, one can make a
I didn't say this would be anything new I'm sure it isn't, but everyone is discussing about DDoS attacks with hundreds and thousands of zombie bots which take servers down. But it's that plain simple just find some big website like newspaper, IT biz or whatever and go to the search engine nearly every site owns one. And if your lucky you can just manipulate the amount of results given back from the server to 1 zillion and type a simple search string. If you repeat the request hundreds of times the site is not available anymore. And if the search site is on the same server as all other parts of the web presentation the company is going to have trouble. I guess it's more a problem to the server to search the entire database for results which runs the cpu on 100% but i don't really know. It was just a very easy idea and works out of the box. Only for testing purposes of course. The responsible of vulnerable sites should just limit the number of results so the internet can live in love & harmony ;) haha -- Geschenkt: 3 Monate GMX ProMail + 3 Top-Spielfilme auf DVD ++ Jetzt kostenlos testen http://www.gmx.net/de/go/mail ++ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Web Application DoS kcope (Nov 30)
- Re: Web Application DoS Goetz Von Berlichingen (Dec 01)
- <Possible follow-ups>
- RE: Web Application DoS David Taylor (Nov 30)
- RE: Web Application DoS Lachniet, Mark (Dec 01)
- Re: Web Application DoS kcope (Dec 01)