[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

• Previous message: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
• Next message: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Many of the DDoS tools include app layer attack options with:

1) GET/POST flooding
2) Slow Requests
3) Web Server platform vuln (like the Apache Range header vuln)

These are applicable to a large number of sites. 

--
Ryan Barnett


On Mar 14, 2013, at 3:56 PM, "Dennis Groves" <dennis.groves at owasp.org> wrote:

> On 14 Mar 2013, at 19:04, Ryan Barnett wrote:
> 
>> Dave,
>> I agree with all of your points.  Determining the estimated Risk level for
>> DDoS is challenging, especially when you consider the org's vertical market.
>> As you referenced in your BankInfoSecurity story, Finance verticals are
>> being targeted as part of a multi-pronged attack where DDoS are used as a
>> smoke-screen for AHC transfers.  The attacker us a combination of Banking
>> Trojans client-side with C&C to IRC botnets which can launch DDoS floods.
>> So the impact of the website downtime will be removed once the attack stops,
>> however the end results is that funds were also stolen.
>> 
>> I will get with Pawel and see if we can put together a Risk rating
>> estimation for consideration.
> 
> Realistically speaking risk of a bot-net DDoS from anybody with $500 to put behind their revenge for a bank stealing their house and then getting a government bailout for the same; vs. an attacker finding an application level DOS via a non terminating regex or account lockout for to many wrong passwords is night and day.
> 
> I don't see how Application DOS could possibly be in the Top 10.
> 
> Dennis
> 
> 
> -- 
> [Dennis Groves](http://about.me/dennis.groves), MSc
> [Email me](mailto:dennis.groves at owasp.org) or [schedule a meeting](http://goo.gl/8sPIy).
> 
> *This email is licensed under a [CC BY-ND 3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*
> 
> **Please do not send me Microsoft Office/Apple iWork documents.**
> Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
> Stand up for your freedom to install [free software](http://www.fsf.org/campaigns/secure-boot/statement).
> 
>> The idea that some lives matter less is the root of all that’s wrong with the world. -- Paul Farmer

• Previous message: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
• Next message: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]