Web DoS with Legitimate Request

Hi Guys,

I would like to share one of the common attack to web application is DoS (Denial of Service).

There are 3 types of DDoS Attacks:

  1. Volume-based attacks,
  2. Protocol attacks
  3. Application layer attacks.

The most common mitigation that company is usually well prepared is DoS attack at the network layer such as creating massive number of packets (e.g SYN attack) or keep live request (Slowloris) to make the web server suffer known. There are many tools available in the wild to do this attack. This kind of attack is very easy to be detected by some traffic anomaly detection at the level of ISP anti DoS or Company’s perimeter protection

Below is common attack

  • UDP flood (Volume Attack)
  • ICMP (Ping) flood (Volume Attack)
  • SYN flood (Protocol Attack)
  • Ping of Death (Protocol Attack)
  • Slowloris (Application Attack)
  • NTP Amplification (Volume Attack)
  • HTTP flood

The attack that I would discuss here is about exploiting the legitimate functionality of the application at Application layer. This could be hard to detect because there is no anomaly in the network level or any functionality exploitation that could be detected by WAF. Also usually this attack usually comes from authenticated users.

The easiest way to find exploitable functionality is to find function or API to retrieve data from the database, generate Image, File upload parser, PDF or any other documents on the fly based on certain parameter which impact the RAM utilization, Disk space,

For example the below sample API call that we can tamper the the parameter

with the below API call we can query number of record to be returned in a page.

but we know that the there is parameter PageSize which specify the number of record to be returned in one page. The adversaries could exploit this by changing the value into 1000000

This could lead to memory exhaustion in the server because the API will try to retrieve large amount of data to be returned. This could cause either the database or the application server exhausted of some resource such as memory or high disk utilization.

With the above attack, The attacker does not need to create large amount of traffic which will make their present is invisible to any volumetric based detection. They could simulate several legitimate traffic but triggering high resource utilization among the legitimate user access.

Successful attack will cause the server performance to slowdown or even totaly stop

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s