News Stay informed about the latest enterprise technology news and product updates.

OWASP Guide to Building Secure Web Applications and Web Services, Chapter 22: Denial of Service Atta

This section of the OWASP Guide to Building Secure Web Applications and Web Services will help you make sure the application is robust as possible in the face of denial of service attacks.

This article is provided by special arrangement with the Open Web Application Security Project (OWASP). This article...

is covered by the Creative Commons Share-Alike Attribution 2.5 license. You can find the latest version of this article and more free and open application security tools and documentation at http://www.owasp.org.


Denial of Service Attacks

Objective
To ensure that the application is robust as possible in the face of denial of service attacks.

Platforms Affected
All.

Relevant COBIT Topics
DS5.20 – Firewall architecture and connection with public networks

Description
Denial of Service (DoS) attacks has been primarily targeted against known software, with vulnerabilities that would allow the DoS attack to succeed.

Excessive CPU consumption
Modern MVC style applications are significant code bases in their own right. Many of the non-trivial business requests, such as report generation and statistical analys can consume quite large chunks of CPU time. When the CPU is asked to perform too many tasks at once, performance can suffer.

How to determine if you are vulnerable
Stress test your application to understand where the bottlenecks are.

How to protect yourself

  • Only allow authenticated and authorized users to consume significant CPU requests.

  • Carefully meter access to these bottlenecks and potentially re-code or change parameters to prevent the basic default requests from consuming so much CPU time.

Excessive disk I/O consumption
Database searches, large images, and huge cheap disks lead to unending requests for more disk I/Os. However, the best I/O's are the I/O's not taken. These might be serviced from RAM or simply not performed at all. Once a disk is required to search say a 50 MB index for each and every request, even the most grunty server will fail with even a moderate user load.

How to determine if you are vulnerable
Stress test your application to understand where the bottlenecks are.

How to protect yourself

  • Only allow authenticated and authorized users to consume significant disk I/O requests.

  • Carefully meter access to these bottlenecks and potentially re-code or change parameters to prevent the basic default requests from consuming so much disk time or space.

Excessive network I/O consumption
How to determine if you are vulnerable

  • Profile your application with a network optimization tool.

  • Any page or resource which gives out over a 20x input ratio (ie one kb request returning a 20 kb page and images) is a huge DoS amplifier and will quickly bring your site to its knees if a Slashdot post or attacker hits.

How to protect yourself

  • Only allow authenticated and authorized users to consume significant network requests.

  • Minimize the total size of any unauthenticated pages and resources.

  • Use a DoS shield or similar to help protect against some forms of DoS attack, however, be warned these devices cannot help if the upstream infrastructure has been overwhelmed.

User Account Lockout
A common denial of service attack against operating systems is to lockout user accounts if an account lockout policy is in place.

How to determine if you are vulnerable
Using an automated script, an attacker would try to enumerate various user accounts and lock them out.

How to protect yourself

  • Allow users to select their own account names. They are remarkably good at this.

  • Do not use predictable account numbers or easily guessed account names, like "A1234" "A1235", etc.

  • Record user lockout requests. If more than one account is locked out by the same IP address in a short time (say 30 seconds), prevent access from that source IP address.

  • Automatically unlock accounts after 15 minutes.

Further reading
http://www.corsaire.com/white-papers/040405-application-level-dos-attacks.pdf

Dig Deeper on Internet Application Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close