Web DoS with Legitimate Request

Hi Guys,

I would like to share one of the common attack to web application is DoS (Denial of Service).

There are 3 types of DDoS Attacks:

  1. Volume-based attacks,
  2. Protocol attacks
  3. Application layer attacks.

The most common mitigation that a company is usually well prepared for is a DoS attack at the network layer, such as creating a massive number of packets (e.g. SYN attack) or keep live request (Slowloris) to make the webserver suffer. There are many tools available in the wild to make this attack. This kind of attack is straightforward to be detected by some traffic anomaly detection at the level of ISP anti-DoS or Company’s perimeter protection

Below is common attack

  • UDP flood (Volume Attack)
  • ICMP (Ping) flood (Volume Attack)
  • SYN flood (Protocol Attack)
  • Ping of Death (Protocol Attack)
  • Slowloris (Application Attack)
  • NTP Amplification (Volume Attack)
  • HTTP flood

The attack that I would discuss here is about exploiting the application layer’s legitimate functionality at the Application layer. This attack could be hard to detect because there is no anomaly in the network level or any functionality exploitation that WAF could see. Also, this attack comes from authenticated users.

The easiest way to find exploitable functionality is to find a function or API to retrieve data from the database, generate Image, File upload parser, PDF or any other documents on the fly based on a particular parameter that impacts the RAM utilization, Disk space.

For example the below sample API call that we can tamper the the parameter

with the below API call we can query number of record to be returned in a page.

but we know that the there is parameter PageSize which specify the number of record to be returned in one page. The adversaries could exploit this by changing the value into 1000000

This attack could lead to memory exhaustion in the server because the API will retrieve a large amount of data to be returned. This attack could cause either the database or the application server to exhaust some resources such as memory or high disk utilization.

With the above attack, The attacker does not need to create a large amount of traffic, making their presence invisible to volumetric-based detection. They could simulate several legitimate traffic but triggering high resource utilization amongst the legitimate user access.

Successful attack will cause the server performance to slowdown or even totaly stop

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s