mailing list archives
Re: Web Application DoS
From: "kcope" <kingcope () gmx net>
Date: Wed, 1 Dec 2004 21:50:16 +0100 (MET)
Congratulations, you've discovered an application layer (Layer 7 for
the OSI fans) denial of service attack. That first sentence is somewhat
sarcastic, but this is not a new discovery. Now you need to generalize
this to other applications.
What about databases (although you implied one in your example of a
web search application)? Even without a web front-end, databases are
particularly susceptible to these. If one understands details such as
space allocation and indexing formulas of a database, one can make a
I didn't say this would be anything new I'm sure it isn't, but
everyone is discussing about DDoS attacks with hundreds
and thousands of zombie bots which take servers down.
But it's that plain simple just find some big
website like newspaper, IT biz or whatever and go to the search
engine nearly every site owns one. And if your lucky you can just manipulate
the amount of results given back from the server to 1 zillion and type a
simple search string. If you repeat the request hundreds of times the site
is not available anymore. And if the search site is on the same server as
all other parts of the web presentation the company is going to have
trouble. I guess it's more a problem to the server to search the entire
database for results which runs the cpu on 100% but i don't really know.
It was just a very easy idea and works out of the box. Only for testing
purposes of course. The responsible of vulnerable sites should just limit
the number of results so the internet can live in love & harmony ;) haha
Geschenkt: 3 Monate GMX ProMail + 3 Top-Spielfilme auf DVD
++ Jetzt kostenlos testen http://www.gmx.net/de/go/mail ++
Full-Disclosure - We believe in it.