11

I recently read this article about how a lone hacker (The Jester) conducts, amongst various other things, his DoS attacks over layer 7 instead of layer 4. It also mentions at one point he was able to successfully DoS a website using just a 3G enabled phone as his attack platform.

I'm curious as to how this was actually done. Would a simple HTML script be able to cause this big an impact? Especially considering that the article seems to suggest he is able to deny service without having to distribute the attack.

For example, and I appreciate this is just a very basic one, finding a large element on a page and constantly requesting a large number of it:

<html>
<meta http-equiv="refresh" content="1" />
<img src="https://i.stack.imgur.com/jSusZ.png" width="5" height="5"/>
<img src="https://i.stack.imgur.com/jSusZ.png" width="5" height="5"/>
<img src="https://i.stack.imgur.com/jSusZ.png" width="5" height="5"/>
<img src="https://i.stack.imgur.com/jSusZ.png" width="5" height="5"/>
<img src="https://i.stack.imgur.com/jSusZ.png" width="5" height="5"/>
<img src="https://i.stack.imgur.com/jSusZ.png" width="5" height="5"/>

(x100)

</meta>
</html>

Is this a viable, albeit very basic, AV for a layer 7 DoS?

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
XOR
  • 135
  • 1
  • 7

2 Answers2

10

This is a perfectly fine and viable form of DOS attack.

In your example I would construct such an attack like, say I XSS inject a very popular online page with a lot of hidden traffic to my target page, it could eventually DOS the target page causing a variation of the slashdot effect. This is a form of layer 7 DOS attack.

There is very many examples of layer 7 DOS attacks. It basically means you are exploiting flaws in the application logic which could be anything from sticking the application in CPU intensive loops, making the application consume all local resources or simply having the layer 7 consume all bandwidth.

One more example of Layer 7 DOS could be if I take your username and try to log into an application somewhere many times with the wrong password, essentially leaving your account blocked preventing you from logging in.

Layer 4 DOS can be a TCP flood attack where you send a bunch of TCP SYN packets to a host leaving the host with half open connections, potentially consuming all the resources the OS has available.

Edit: A good example of layer 7 DOS is Slowloris. Quotation on how it works follows:

Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow.

Chris Dale
  • 16,149
  • 10
  • 57
  • 97
  • But aren't *all* the requests from Slowloris originating from the same IP? Then what's the point, since the requests would be cut right at the very top of the processing. – Pacerier May 01 '13 at 00:52
10

A DoS is normally about resource exhaustion. There are many different resources you can exhaust but one of the easiest to determine from the outside is concurrent requests because you suddenly get HTTP 503 responses when you reach the limit.

For instance, if you can find a page with a slow load time, say 10 seconds, you only need to make 11 requests per second to use up all of the available connections. You don't even need to maintain the connection once you have made the request since the app will still do all the work to generate the page before discovering you aren't there any more. It will even waste time waiting for the TCP connection to time out.

Putting % into a poorly written search function can cause this as % is the MySQL wildcard symbol that will cause the search to return every row in the database.

A variant of this is the Slow-Loris attack where you make a simple request but throttle how fast you receive the response down to mere bytes per second. To achieve a DoS here, you only need to hold open more active connections than the site allows.

From vague memory, the default Apache MaxChildren setting is something like 50 which is probably achievable from a mobile phone.

A third variant has to do with control of a single, unique resource. Examples of this are MyISAM tables when reading and writing simultaneously and PHP session files. With a single slow request that locks the resource, all subsequent requests that require the same resource will simply wait until the slow request finishes.

An example of this might be making lots if alternate read and write requests to a forum or making a logged-in request (that requires the PHP session file) where you throttle how fast you receive the response. All requests with the same session ID will not even start until that one is finished but will still tie up an Apache child while they wait.

Some web serving software (such as nginx and Node.js) are designed to handle lots of simultaneous requests but are still susceptible to the other exhaustion techniques such as locking a particular session file to block that user and max database connections.

You can also target CPU, memory, disk space, disk utilisation, open files, internal network bandwidth, open network connections (that the application makes if we're just talking about layer 7, not direct ones that you make), and you can target any of these on any server that your request touches such as the database or SAN or search server or whatever.

Ladadadada
  • 5,203
  • 1
  • 26
  • 42