Full Disclosure mailing list archives
RE: Web Application DoS
From: "David Taylor" <David.Taylor () austrac gov au>
Date: Wed, 1 Dec 2004 09:57:50 +1100
Stop press : Urban road DDOS attack If you get a lot of cars and have them all on the road at the same time, the road won't be able to handle it. M@nga -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of kcope Sent: Wednesday, 1 December 2004 6:59 AM To: bugtraq () securityfocus com; full-disclosure () lists netsys com Subject: [Full-disclosure] Web Application DoS +-----------------------------------+ | Web Application Denial of Service | +-----------------------------------+ There is a denial of service condition not in a specific software product but in several web based applications. The idea is to make a rather small HTTP request and get a big amount of data back from the HTTP daemon. The HTTP protocol for a client could be as simple as a normal one line GET request for a specific web site on the server. Now let´s take the example of a search engine on a web site. Most times one will be able to search for just an ``A`` and get back a big result set of the data searched inside the information database. Of course the result set will be limited in good search applications. But if it is possible to manipulate the amount of results to a very high value and there is much information stored in the database the result set is very big and therefore the answer from the http daemon will also seem endless if no timeout is set. If one finds a way to manipulate this GET or POST request and automates the process through a very simple script which just loops over and over making this request the http daemon will not be able to handle its own reponse data. The result is that the website is not reachable anymore because the server is busy sending back nonsense data to the client (which will not wait for any but only makes small requests). I guess this works regardless of the underlying software running on the website, even powerful Sun Applications seem to be vulnerable. It should be mentioned that it has not to be a search application. Other server side scripts may be manipulated also to give the same effect. The only thing needed is that after a small request the http server is convinced to answer with an endless stream of bytes. No ultra fast connection is needed to make a rather big server with large connection bandwidth unavailable. No throughout test was done so this could be a false positive. But by testing even ``important`` business sites didn`t like this type of DoS. kcope 2k4 kingcope[at]gmx.net -- Geschenkt: 3 Monate GMX ProMail + 3 Top-Spielfilme auf DVD ++ Jetzt kostenlos testen http://www.gmx.net/de/go/mail ++ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ********************************************************************** Please note that your email address is known to AUSTRAC for the purposes of communicating with you. The information transmitted in this e-mail is for the use of the intended recipient only and may contain confidential and/or legally privileged material. If you have received this information in error you must not disseminate, copy or take any action on it and we request that you delete all copies of this transmission together with attachments and notify the sender. This footnote also confirms that this email message has been swept for the presence of computer viruses. ********************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Web Application DoS kcope (Nov 30)
- Re: Web Application DoS Goetz Von Berlichingen (Dec 01)
- <Possible follow-ups>
- RE: Web Application DoS David Taylor (Nov 30)
- RE: Web Application DoS Lachniet, Mark (Dec 01)
- Re: Web Application DoS kcope (Dec 01)