Learn, hack!

URL

https://media.blackhat.com/bh-dc-11/Sullivan/BlackHat_DC_2011_Sullivan_Application-Level_Denial_of_Service_Att_&_Def-wp.pdf

File name

BlackHat_DC_2011_Sullivan_Application-Level_Denial_of_Service_Att_&_Def-wp.pdf

File size

100.8 KB

MD5

37dfb0867f5240caf52721453276c749

SHA1

38485ff01b4328f0ddf764433fe9c89018f8ba82

Why care about denial-of-service attacks when there are so many privilege elevation and information disclosure threats we should be worried about? For one reason, DoS costs you money: in *aaS environments, there's not only the indirect cost of disrupting your legitimate users' access to the service, but also the more immediate and measurable cost of the bandwidth, storage, and processing power that the attack consumes (and that the platform provider will happily bill you for). We should all care about DoS for another, darker, reason too: a foreign power may someday use a DoS attack as an act of cyberwarfare or cyberterrorism against US critical infrastructure systems. This talk will examine six DoS attack techniques used against cloud services. These attacks all target the application layer of the service, cannot be stopped with firewalls or IPS, do not require distributed attacks or botnets, and are highly efficient and asymmetric. In some cases, a single HTTP request of less than 50 bytes is sufficient to knock out a server until reboot. In addition to describing the attacks, we will also investigate the application design issues that lead to vulnerability, and demonstrate coding fixes and free testing tools that can be used to solve the problem.