[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Web Application DoS
- To: full-disclosure@xxxxxxxxxxxxxxxx, goetzvonberlichingen@xxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Web Application DoS
- From: "kcope" <kingcope@xxxxxxx>
- Date: Wed, 1 Dec 2004 21:50:16 +0100 (MET)
> Congratulations, you've discovered an application layer (Layer 7 for
>the OSI fans) denial of service attack. That first sentence is somewhat
>sarcastic, but this is not a new discovery. Now you need to generalize
>this to other applications.
> What about databases (although you implied one in your example of a
>web search application)? Even without a web front-end, databases are
>particularly susceptible to these. If one understands details such as
>space allocation and indexing formulas of a database, one can make a
I didn't say this would be anything new I'm sure it isn't, but
everyone is discussing about DDoS attacks with hundreds
and thousands of zombie bots which take servers down.
But it's that plain simple just find some big
website like newspaper, IT biz or whatever and go to the search
engine nearly every site owns one. And if your lucky you can just manipulate
the amount of results given back from the server to 1 zillion and type a
simple search string. If you repeat the request hundreds of times the site
is not available anymore. And if the search site is on the same server as
all other parts of the web presentation the company is going to have
trouble. I guess it's more a problem to the server to search the entire
database for results which runs the cpu on 100% but i don't really know.
It was just a very easy idea and works out of the box. Only for testing
purposes of course. The responsible of vulnerable sites should just limit
the number of results so the internet can live in love & harmony ;) haha
--
Geschenkt: 3 Monate GMX ProMail + 3 Top-Spielfilme auf DVD
++ Jetzt kostenlos testen http://www.gmx.net/de/go/mail ++
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html