[Owasp-leaders] Anyone interested in the details of latest HTTP POST DDOS attack technique?

Wong Onn Chee ocwong at usa.net
Mon Mar 8 11:12:20 EST 2010 

Hi Nam,

You are right!
Apache replied that it is not a flaw of their Apache solutions, while MS
did not reject or agree to come up with a fix.

To make things false, MS has a "rapid fail protection" sandbox feature,
which comes with good intention.
However, this sandbox feature means a hacker only needs 60k slow HTTP
POST connections (~4.8kbps) to bring down an IIS server, regardless of
the hardware specs of the IIS server.

In such an attack, only the IIS service gets choked and no IIS response
will be sent out.
One can still RDP, telnet and even connect to any other services running
on the same Windows server.
Hence, such an attack is what I personally call "precision bombing".

In addition, at an aggregated (very slow) attack speed of ~4.8kbps, I
deem this as "stealth bombing" too, as it may evades most DDOS
monitoring parameters.


Lastly, given the current apathy among the 2 major web server vendors, I
can only pray, once the bad guys have finished their "3G" upgrade of
their botnets to make use of this new Layer 7 DDOS technique.
:-(

Do you think we, as OWASP, should escalate this to IETF instead?

Regards
Onn Chee

On 03/08/2010 05:51 PM, Nam Nguyen wrote:
> Just like Slowlaris, people may not consider this a security flaw.
>
> FTP, SMTP, or any protocol for that matter, waits for a terminating character. If one can connect to the service, he can deliberately not sending that character to the server, and hence causing DoS. Again, 3 machines launching "inactive" connections are enough to make a 'nuclear grade weapon' here.
>
> Is the sky falling?
>
> Cheers
> Nam
>
> On Mon, 08 Mar 2010 17:32:38 +0800
> Wong Onn Chee <ocwong at usa.net> wrote:
>
>   
>> Hi Kare,
>>
>> Attached as promised.
>>
>> On 03/08/2010 05:10 PM, Kåre Presttun wrote:
>>     
>>> Hi Onn Chee.
>>>
>>> Please send me info. Thanks :-)
>>>
>>> Regards,
>>> Kåre
>>>
>>> On 08.03.2010 09:57, Wong Onn Chee wrote:
>>>   
>>>       
>>>> Hi,
>>>>
>>>> If you are interested in knowing more details about this latest attack
>>>> technique, do drop me a mail directly so as not to spam the leaders' list.
>>>>
>>>> The blackout period for both Apache and Microsoft has expired since end
>>>> Feb 2010, hence I can share the full details with anyone.
>>>>
>>>> Regards
>>>> Onn Chee
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>     
>>>>         
>>>   
>>>       
>
>

More information about the OWASP-Leaders mailing list