Denial of Service - OWASP
4
Denial of Service From OWASP This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 02/3/2015 Description The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses. Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server. Denialofservice attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Risk Factors Risk factors can break down into multiple categories. Two principle sources of risk include inadequate resources and nontechnical threat motivators. The first example of a risk factor, inadequate resources, requires attention if system architecture was not designed to meet traffic demand overflows. This risk reduces the difficulty of successfully executing a DoS attack and can, left unchecked, result in DoS symptoms absent an actual attack. The second example and perhaps the largest risk factor is not technical and is in the domain of public relations or strategic communications. An organization should avoid taking action that can make them a target of a DoS attack unless the benefits of doing so outweigh the potential costs or mitigating controls are in place. Other risk factors may also exist depending on the specific environment. Examples The following DoS techniques and examples were extracted from OWASP Testing Guide v2. DoS User Specified Object Allocation
description
OWASP
Transcript of Denial of Service - OWASP
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 1/4
DenialofServiceFromOWASP
ThisisanAttack.Toviewallattacks,pleaseseetheAttackCategorypage.
Lastrevision(mm/dd/yy):02/3/2015
Description
TheDenialofService(DoS)attackisfocusedonmakingaresource(site,application,server)unavailableforthepurposeitwasdesigned.Therearemanywaystomakeaserviceunavailableforlegitimateusersbymanipulatingnetworkpackets,programming,logical,orresourceshandlingvulnerabilities,amongothers.Ifaservicereceivesaverylargenumberofrequests,itmayceasetobeavailabletolegitimateusers.Inthesameway,aservicemaystopifaprogrammingvulnerabilityisexploited,orthewaytheservicehandlesresourcesituses.
SometimestheattackercaninjectandexecutearbitrarycodewhileperformingaDoSattackinordertoaccesscriticalinformationorexecutecommandsontheserver.Denialofserviceattackssignificantlydegradetheservicequalityexperiencedbylegitimateusers.Theseattacksintroducelargeresponsedelays,excessivelosses,andserviceinterruptions,resultingindirectimpactonavailability.
RiskFactors
Riskfactorscanbreakdownintomultiplecategories.Twoprinciplesourcesofriskincludeinadequateresourcesandnontechnicalthreatmotivators.
Thefirstexampleofariskfactor,inadequateresources,requiresattentionifsystemarchitecturewasnotdesignedtomeettrafficdemandoverflows.ThisriskreducesthedifficultyofsuccessfullyexecutingaDoSattackandcan,leftunchecked,resultinDoSsymptomsabsentanactualattack.
Thesecondexampleandperhapsthelargestriskfactorisnottechnicalandisinthedomainofpublicrelationsorstrategiccommunications.AnorganizationshouldavoidtakingactionthatcanmakethematargetofaDoSattackunlessthebenefitsofdoingsooutweighthepotentialcostsormitigatingcontrolsareinplace.
Otherriskfactorsmayalsoexistdependingonthespecificenvironment.
Examples
ThefollowingDoStechniquesandexampleswereextractedfromOWASPTestingGuidev2.
DoSUserSpecifiedObjectAllocation
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 2/4
Ifuserscansupply,directlyorindirectly,avaluethatwillspecifyhowmanyofanobjecttocreateontheapplicationserver,andiftheserverdoesnotenforceahardupperlimitonthatvalue,itispossibletocausetheenvironmenttorunoutofavailablememory.Theservermaybegintoallocatetherequirednumberofobjectsspecified,butifthisisanextremelylargenumber,itcancauseseriousissuesontheserver,possiblyfillingitswholeavailablememoryandcorruptingitsperformance.
ThefollowingisasimpleexampleofvulnerablecodeinJava:
StringTotalObjects=request.getParameter(numberofobjects);intNumOfObjects=Integer.parseInt(TotalObjects);ComplexObject[]anArray=newComplexObject[NumOfObjects];//wrong!
DoSUserInputasaLoopCounter
SimilartothepreviousproblemofUserSpecifiedObjectAllocation,iftheusercandirectlyorindirectlyassignavaluethatwillbeusedasacounterinaloopfunction,thiscancauseperformanceproblemsontheserver.
ThefollowingisanexampleofvulnerablecodeinJava:
publicclassMyServletextendsActionServlet{publicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{...String[]values=request.getParameterValues("CheckboxField");//Processthedatawithoutlengthcheckforreasonablerangewrong!for(inti=0;i
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 3/4
ThefollowingisanexampleofvulnerablecodeinJava.Intheexample,boththeConnectionandtheCallableStatementshouldbeclosedinafinallyblock.
publicclassAccountDAO{publicvoidcreateAccount(AccountInfoacct)throwsAcctCreationException{try{Connectionconn=DAOFactory.getConnection();CallableStatementcalStmt=conn.prepareCall();calStmt.executeUpdate();calStmt.close();conn.close();}catch(java.sql.SQLExceptione){throwAcctCreationException(...);}}}
DoSBufferOverflows
Anylanguagewherethedeveloperhasdirectresponsibilityformanagingmemoryallocation,mostnotablyC&C++,hasthepotentialforaBufferOverflow.Whilethemostseriousriskrelatedtoabufferoverflowistheabilitytoexecutearbitrarycodeontheserver,thefirstriskcomesfromthedenialofservicethatcanhappeniftheapplicationcrashes.
ThefollowingisasimplifiedexampleofvulnerablecodeinC:
voidoverflow(char*str){charbuffer[10];strcpy(buffer,str);//Dangerous!}
intmain(){char*str="Thisisastringthatislargerthanthebufferof10";overflow(str);}
Ifthiscodeexamplewereexecuted,itwouldcauseasegmentationfaultanddumpcore.Thereasonisthatstrcpywouldtrytocopy53charactersintoanarrayof10elementsonly,overwritingadjacentmemorylocations.Whilethisexampleaboveisanextremelysimplecase,therealityisthatinawebbasedapplicationtheremaybeplaceswheretheuserinputisnotadequatelycheckedforitslength,makingthiskindofattackpossible.
DoSStoringtooMuchDatainSession
Caremustbetakennottostoretoomuchdatainausersessionobject.Storingtoomuchinformationinthesession,suchaslargequantitiesofdataretrievedfromthedatabase,cancausedenialofserviceissues.Thisproblemisexacerbatedifsessiondataisalsotrackedpriortoalogin,asausercanlaunchtheattackwithouttheneedofanaccount.
DoSLockingCustomerAccounts
-
5/12/2015 DenialofServiceOWASP
https://www.owasp.org/index.php/Denial_of_Service 4/4
ThefirstDoScasetoconsiderinvolvestheauthenticationsystemofthetargetapplication.Acommondefensetopreventbruteforcediscoveryofuserpasswordsistolockanaccountfromuseafterbetweenthreetofivefailedattemptstologin.Thismeansthatevenifalegitimateuserweretoprovidetheirvalidpassword,theywouldbeunabletologintothesystemuntiltheiraccounthasbeenunlocked.ThisdefensemechanismcanbeturnedintoaDoSattackagainstanapplicationifthereisawaytopredictvalidloginaccounts.
Note,thereisabusinessvs.securitybalancethatmustbereachedbasedonthespecificcircumstancessurroundingagivenapplication.Thereareprosandconstolockingaccounts,tocustomersbeingabletochoosetheirownaccountnames,tousingsystemssuchasCAPTCHA,andthelike.Eachenterprisewillneedtobalancetheserisksandbenefits,butnotallofthedetailsofthosedecisionsarecoveredhere.
RelatedThreatAgents
Category:LogicalAttacks
RelatedAttacks
ResourceInjectionSettingManipulationRegularexpressionDenialofServiceReDoSCashOverflow
RelatedVulnerabilitiesCategory:InputValidationVulnerabilityCategory:APIAbuse
RelatedControls
BlockingBruteForceAttacksMemoryManagement
References
http://capec.mitre.org/data/index.htmlDenialofServicethroughResourceDepletion
Retrievedfrom"https://www.owasp.org/index.php?title=Denial_of_Service&oldid=188944"Categories: OWASPASDRProject FIXME Spoofing ProbabilisticTechniquesResourceDepletion Attack
Thispagewaslastmodifiedon3February2015,at00:42.Thispagehasbeenaccessed55,910times.ContentisavailableunderaCreativeCommons3.0Licenseunlessotherwisenoted.
![Denial-of-Service [Gligor, 84]](https://static.fdocuments.us/doc/165x107/56813c28550346895da5a216/denial-of-service-gligor-84.jpg)
