[WEB SECURITY] RFC 2616

Chris Weber chris at lookout.net
Mon May 9 14:05:19 EDT 2005


DoS attacks can happen at many layers of the OSI model.  Through security
testing I've often found logical DoS attacks in the application layer
processing, such as taking in a large string and encrypting it on the server
side.  These are obviously quite different than DoS against the lower layers
like TCP.

Chris

-----Original Message-----
From: Tom Mason [mailto:TMason at golfbreaks.com] 
Sent: Monday, May 09, 2005 8:15 AM
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] RFC 2616

Aren't DOS attacks an unavoidable consequence of the inherent openness of
HTTP?  To eradicate the possibility of DOS attacks, wouldn't we have to
modify HTTP to not allow unauthenticated connections (which is what makes
the web so great in the first place)?

Or is a DoS attack on a proxy something different that I don't know about?

Tom Mason - IT Developer
www.golfbreaks.com

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
Sent: 09 May 2005 15:50
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] RFC 2616



Having thought I've been over the HTTP RFC's to a nauseous extent, I was
surprised to find that line in there.  I wonder if we can contact the
authors and see what they really had in mind. Anyone on the list know
them well enough to ask?


On Monday, May 9, 2005, at 07:44  AM, Ryan Barnett wrote:

> FUD-olicious, indeed :)  Now to answer your question specifically - 
> no, I don't know who is currently doing research, or what data they 
> have.

> Keep in mind that 2616 was written back in 99.  It wasn't too long 
> after that when the big DDoS attacks occured knocking out Ebay, Yahoo,

> etc....  That is why I don't think that they were referring to any 
> specific proxy/layer 7 DoS attacks, but rather the impact of taking 
> out a proxy with a DoS attack.
>
> While not a DoS attack against a proxy, you might find HTTP Response 
> Splitting interesting - 
> http://www.webappsec.org/projects/threat/classes/
> http_response_splitting.shtml
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member SANS Instructor: 
> Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC
>
> On 5/9/05, TheGesus <thegesus at gmail.com> wrote:
>> Ominously states....
>> ====================================
>> 15.7.1 Denial of Service Attacks on Proxies
>>
>>   They exist. They are hard to defend against. Research continues.   
>> Beware.
>> ====================================
>>
>> Any idea who's doing the research and what they have so far?
>>
>> BTW, if you Google "Denial of Service Attacks on Proxies" you get ~11

>> pages worth of...
>>
>> "They exist. They are hard to defend against. Research continues.   
>> Beware."
>>
>> Now I can't sleep at night.
>>
>> ---------------------------------------------------------------------
>> The Web Security Mailing List
>> http://www.webappsec.org/lists/websecurity/
>>
>>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list