POST DoS auf die Schnelle

Kommentieren Nov 23 2010 .txt, .json, .md

Das DoS möglich sind, ist ja bekannt. Dass diese auch sehr einfach zu erstellen sind auch.

Aber dass dies so “einfach” geht, wusste ich bisher nicht.

HTTP Post Denial Of Service: more dangerous than initially thought

An attacker establishes a number of connections with the web servers. Each one of these connections contains a Content-Length header with a large number (e.g. Content-Length: 10000000). Therefore, the web server will expect 10000000 bytes from each one of these connections. The trick is not to send all this data at once but to send it character by character over a long period of time (e.g. 1 character each 10-100 seconds). The web server will keep these connections open for a very long time, until it receives all the data. In this time, other clients will have a hard time connecting to the server, or even worse will not be able to connect at all because all the available connections are taken/busy. (…) Therefore, by default Apache 1.3 only allows 256 connections. Therefore, an attacker only needs to steal 256 connections before the web server stops responding. It’s the same situation even with Apache 2.0.

Boo…. So einfach wäre das.

Natürlich gibt es da Gegenmaßnahmen etc. aber somit ist es sehr einfach mal kurz den Webserver platt zu ziehen. Auch ohne eine Horde von Zombie PCs.