Download - Denial of Service - OWASP

Transcript

  • 5/12/2015 DenialofServiceOWASP

    https://www.owasp.org/index.php/Denial_of_Service 1/4

    DenialofServiceFromOWASP

    ThisisanAttack.Toviewallattacks,pleaseseetheAttackCategorypage.

    Lastrevision(mm/dd/yy):02/3/2015

    Description

    TheDenialofService(DoS)attackisfocusedonmakingaresource(site,application,server)unavailableforthepurposeitwasdesigned.Therearemanywaystomakeaserviceunavailableforlegitimateusersbymanipulatingnetworkpackets,programming,logical,orresourceshandlingvulnerabilities,amongothers.Ifaservicereceivesaverylargenumberofrequests,itmayceasetobeavailabletolegitimateusers.Inthesameway,aservicemaystopifaprogrammingvulnerabilityisexploited,orthewaytheservicehandlesresourcesituses.

    SometimestheattackercaninjectandexecutearbitrarycodewhileperformingaDoSattackinordertoaccesscriticalinformationorexecutecommandsontheserver.Denialofserviceattackssignificantlydegradetheservicequalityexperiencedbylegitimateusers.Theseattacksintroducelargeresponsedelays,excessivelosses,andserviceinterruptions,resultingindirectimpactonavailability.

    RiskFactors

    Riskfactorscanbreakdownintomultiplecategories.Twoprinciplesourcesofriskincludeinadequateresourcesandnontechnicalthreatmotivators.

    Thefirstexampleofariskfactor,inadequateresources,requiresattentionifsystemarchitecturewasnotdesignedtomeettrafficdemandoverflows.ThisriskreducesthedifficultyofsuccessfullyexecutingaDoSattackandcan,leftunchecked,resultinDoSsymptomsabsentanactualattack.

    Thesecondexampleandperhapsthelargestriskfactorisnottechnicalandisinthedomainofpublicrelationsorstrategiccommunications.AnorganizationshouldavoidtakingactionthatcanmakethematargetofaDoSattackunlessthebenefitsofdoingsooutweighthepotentialcostsormitigatingcontrolsareinplace.

    Otherriskfactorsmayalsoexistdependingonthespecificenvironment.

    Examples

    ThefollowingDoStechniquesandexampleswereextractedfromOWASPTestingGuidev2.

    DoSUserSpecifiedObjectAllocation

  • 5/12/2015 DenialofServiceOWASP

    https://www.owasp.org/index.php/Denial_of_Service 2/4

    Ifuserscansupply,directlyorindirectly,avaluethatwillspecifyhowmanyofanobjecttocreateontheapplicationserver,andiftheserverdoesnotenforceahardupperlimitonthatvalue,itispossibletocausetheenvironmenttorunoutofavailablememory.Theservermaybegintoallocatetherequirednumberofobjectsspecified,butifthisisanextremelylargenumber,itcancauseseriousissuesontheserver,possiblyfillingitswholeavailablememoryandcorruptingitsperformance.

    ThefollowingisasimpleexampleofvulnerablecodeinJava:

    StringTotalObjects=request.getParameter(numberofobjects);intNumOfObjects=Integer.parseInt(TotalObjects);ComplexObject[]anArray=newComplexObject[NumOfObjects];//wrong!

    DoSUserInputasaLoopCounter

    SimilartothepreviousproblemofUserSpecifiedObjectAllocation,iftheusercandirectlyorindirectlyassignavaluethatwillbeusedasacounterinaloopfunction,thiscancauseperformanceproblemsontheserver.

    ThefollowingisanexampleofvulnerablecodeinJava:

    publicclassMyServletextendsActionServlet{publicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{...String[]values=request.getParameterValues("CheckboxField");//Processthedatawithoutlengthcheckforreasonablerangewrong!for(inti=0;i

  • 5/12/2015 DenialofServiceOWASP

    https://www.owasp.org/index.php/Denial_of_Service 3/4

    ThefollowingisanexampleofvulnerablecodeinJava.Intheexample,boththeConnectionandtheCallableStatementshouldbeclosedinafinallyblock.

    publicclassAccountDAO{publicvoidcreateAccount(AccountInfoacct)throwsAcctCreationException{try{Connectionconn=DAOFactory.getConnection();CallableStatementcalStmt=conn.prepareCall();calStmt.executeUpdate();calStmt.close();conn.close();}catch(java.sql.SQLExceptione){throwAcctCreationException(...);}}}

    DoSBufferOverflows

    Anylanguagewherethedeveloperhasdirectresponsibilityformanagingmemoryallocation,mostnotablyC&C++,hasthepotentialforaBufferOverflow.Whilethemostseriousriskrelatedtoabufferoverflowistheabilitytoexecutearbitrarycodeontheserver,thefirstriskcomesfromthedenialofservicethatcanhappeniftheapplicationcrashes.

    ThefollowingisasimplifiedexampleofvulnerablecodeinC:

    voidoverflow(char*str){charbuffer[10];strcpy(buffer,str);//Dangerous!}

    intmain(){char*str="Thisisastringthatislargerthanthebufferof10";overflow(str);}

    Ifthiscodeexamplewereexecuted,itwouldcauseasegmentationfaultanddumpcore.Thereasonisthatstrcpywouldtrytocopy53charactersintoanarrayof10elementsonly,overwritingadjacentmemorylocations.Whilethisexampleaboveisanextremelysimplecase,therealityisthatinawebbasedapplicationtheremaybeplaceswheretheuserinputisnotadequatelycheckedforitslength,makingthiskindofattackpossible.

    DoSStoringtooMuchDatainSession

    Caremustbetakennottostoretoomuchdatainausersessionobject.Storingtoomuchinformationinthesession,suchaslargequantitiesofdataretrievedfromthedatabase,cancausedenialofserviceissues.Thisproblemisexacerbatedifsessiondataisalsotrackedpriortoalogin,asausercanlaunchtheattackwithouttheneedofanaccount.

    DoSLockingCustomerAccounts

  • 5/12/2015 DenialofServiceOWASP

    https://www.owasp.org/index.php/Denial_of_Service 4/4

    ThefirstDoScasetoconsiderinvolvestheauthenticationsystemofthetargetapplication.Acommondefensetopreventbruteforcediscoveryofuserpasswordsistolockanaccountfromuseafterbetweenthreetofivefailedattemptstologin.Thismeansthatevenifalegitimateuserweretoprovidetheirvalidpassword,theywouldbeunabletologintothesystemuntiltheiraccounthasbeenunlocked.ThisdefensemechanismcanbeturnedintoaDoSattackagainstanapplicationifthereisawaytopredictvalidloginaccounts.

    Note,thereisabusinessvs.securitybalancethatmustbereachedbasedonthespecificcircumstancessurroundingagivenapplication.Thereareprosandconstolockingaccounts,tocustomersbeingabletochoosetheirownaccountnames,tousingsystemssuchasCAPTCHA,andthelike.Eachenterprisewillneedtobalancetheserisksandbenefits,butnotallofthedetailsofthosedecisionsarecoveredhere.

    RelatedThreatAgents

    Category:LogicalAttacks

    RelatedAttacks

    ResourceInjectionSettingManipulationRegularexpressionDenialofServiceReDoSCashOverflow

    RelatedVulnerabilitiesCategory:InputValidationVulnerabilityCategory:APIAbuse

    RelatedControls

    BlockingBruteForceAttacksMemoryManagement

    References

    http://capec.mitre.org/data/index.htmlDenialofServicethroughResourceDepletion

    Retrievedfrom"https://www.owasp.org/index.php?title=Denial_of_Service&oldid=188944"Categories: OWASPASDRProject FIXME Spoofing ProbabilisticTechniquesResourceDepletion Attack

    Thispagewaslastmodifiedon3February2015,at00:42.Thispagehasbeenaccessed55,910times.ContentisavailableunderaCreativeCommons3.0Licenseunlessotherwisenoted.


Top Related

Denial of Service WORLDS ATTAKS

Denial of Service WORLDS ATTAKS

Preventing Denial of Service Attacks

Preventing Denial of Service Attacks

Denial of Service Attacks. Understanding to Denial of Services.

Denial of Service Attacks. Understanding to Denial of Services.

Network Denial of Service

Network Denial of Service

Denial of Service Attacks

Denial of Service Attacks

Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay

Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay

Application Denial of Service

Application Denial of Service

DoS! Denial of Service

DoS! Denial of Service

Languages
Pages
Legal

Copyright © 2022 FDOCUMENTS