Ask the Expert

Denial of service and Ajax

Is it easier to force a denial of service attack with Ajax?

Requires Free Membership to View

Billy Hoffman, a lead researcher in SPI Labs and an Ajax expert, is the perfect person to answer this question. So his answer is below:

"If you want to cause a denial of service (DoS) with a traffic flood, JavaScript can do it several ways. XmlHttpRequest (the workhorse of Ajax) can do it, but it can only talk to the domain it comes from. Thus, I could make a botnet of MySpace users but I could only attack MySpace with it if I used it.

I would argue the way Ajax applications can make you more open to a DoS is from all the open Web services and Ajax endpoints. Because you can directly call parts of the control logic of the program, you can do more damage then just blindly requesting files. A flood of traffic to an Ajax endpoint is probably worse than a traffic flood against a random page because each time you contact that Web service the server has some computation to do. Furthermore, responses from Ajax endpoints are not typically cached by Squid or any other 'Web site accelerator.'

Another DoS vector I see with Ajax applications is calling the Web services out of order. This would vary from application to application, but by looking at the JavaScript code that's pushed to the client, I can see in what order and how often Web services are contacted. In essence, this blueprint of how the app works gives an attacker the blueprint of how to break it. Some Web services may allocate resources where another one cleans them up. An attacker simply never calls the clean up functions. Even if the code fails gracefully, it is extremely expensive for a program to generate an Exception, even if it gets caught.

A traffic flooding DoS is like throwing millions of small punches hoping you take an opponent down. A control logic DoS is like cutting open an opponent's head and punching them a few times in the brain."

And here's my answer:

I also tend to see sloppy implementation of Ajax inadvertently causing DoS attacks. For example, I know of a company that decided to implement some Ajax intelligence technology into their search bar on their Web site. What they did not think about was that doing this multiplied their traffic by eight times. For every one search query going to their application it now was broken down to each letter being a single hit. So it ended up crashing their bandwidth.

More information:

Billy Hoffman is a lead researcher in the SPI Labs Research and Development group. He is an oft quoted expert on AJAX security and is a frequent speaker at conferences on the topic. Hoffman is currently co-authoring a book on Ajax security for Addison-Wesley.

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: