Why care about denial-of-service attacks when there are so many privilege elevation and information disclosure threats we should be worried about? For one reason, DoS costs you money: in *aaS environments, there's not only the indirect cost of disrupting your legitimate users' access to the service, but also the more immediate and measurable cost of the bandwidth, storage, and processing power that the attack consumes (and that the platform provider will happily bill you for). We should all care about DoS for another, darker, reason too: a foreign power may someday use a DoS attack as an act of cyberwarfare or cyberterrorism against US critical infrastructure systems. This talk will examine six DoS attack techniques used against cloud services. These attacks all target the application layer of the service, cannot be stopped with firewalls or IPS, do not require distributed attacks or botnets, and are highly efficient and asymmetric. In some cases, a single HTTP request of less than 50 bytes is sufficient to knock out a server until reboot. In addition to describing the attacks, we will also investigate the application design issues that lead to vulnerability, and demonstrate coding fixes and free testing tools that can be used to solve the problem.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.