[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Ryan Barnett ryan.barnett at owasp.org
Thu Mar 14 20:16:09 UTC 2013


Another consideration - Dave brought up the fact of infrastructure vs app attacks. In this case, many DDoS are aimed at the web server platform in use. Is this considered infrastructure or application?  I don't think it is strictly either but I do lean towards app more than infrastructure. 

--
Ryan Barnett


On Mar 14, 2013, at 4:11 PM, Ryan Barnett <ryan.barnett at owasp.org> wrote:

> Many of the DDoS tools include app layer attack options with:
> 
> 1) GET/POST flooding
> 2) Slow Requests
> 3) Web Server platform vuln (like the Apache Range header vuln)
> 
> These are applicable to a large number of sites. 
> 
> --
> Ryan Barnett
> 
> 
> On Mar 14, 2013, at 3:56 PM, "Dennis Groves" <dennis.groves at owasp.org> wrote:
> 
>> On 14 Mar 2013, at 19:04, Ryan Barnett wrote:
>> 
>>> Dave,
>>> I agree with all of your points.  Determining the estimated Risk level for
>>> DDoS is challenging, especially when you consider the org's vertical market.
>>> As you referenced in your BankInfoSecurity story, Finance verticals are
>>> being targeted as part of a multi-pronged attack where DDoS are used as a
>>> smoke-screen for AHC transfers.  The attacker us a combination of Banking
>>> Trojans client-side with C&C to IRC botnets which can launch DDoS floods.
>>> So the impact of the website downtime will be removed once the attack stops,
>>> however the end results is that funds were also stolen.
>>> 
>>> I will get with Pawel and see if we can put together a Risk rating
>>> estimation for consideration.
>> 
>> Realistically speaking risk of a bot-net DDoS from anybody with $500 to put behind their revenge for a bank stealing their house and then getting a government bailout for the same; vs. an attacker finding an application level DOS via a non terminating regex or account lockout for to many wrong passwords is night and day.
>> 
>> I don't see how Application DOS could possibly be in the Top 10.
>> 
>> Dennis
>> 
>> 
>> -- 
>> [Dennis Groves](http://about.me/dennis.groves), MSc
>> [Email me](mailto:dennis.groves at owasp.org) or [schedule a meeting](http://goo.gl/8sPIy).
>> 
>> *This email is licensed under a [CC BY-ND 3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*
>> 
>> **Please do not send me Microsoft Office/Apple iWork documents.**
>> Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
>> Stand up for your freedom to install [free software](http://www.fsf.org/campaigns/secure-boot/statement).
>> 
>>> The idea that some lives matter less is the root of all that’s wrong with the world. -- Paul Farmer


More information about the OWASP-Leaders mailing list