How We Found & Exploited a Layer 7 DoS Attack on FogBugz

Modern day Denial of Service (DoS) attacks cause much consternation in the web security industry because they are so inexpensive, easy... and devastating! While the cost of conducting such attacks decreases by the day, the damage caused to target systems escalates with each attack. Attacks that capture the attention of the mass media use an army of infected devices to generate a massive amount of network traffic in order to take down target systems. They are typically low complexity network attacks. The objective is to render the system unusable for legitimate users. However, not all application layer Denial of Service (DoS) attacks are the same. Though many often aim to generate a very large amount of network traffic, sometimes it is enough to make only a few requests to achieve the desired effect. In this article, I explain how specific application behavior I encountered in FogBugz (a web-based project management tool) might easily be used to overload a system. Netsparker web application security scanner reported finding this issue in the latest version of Fogbugz, early in July 2017. What to Check to Determine Whether a DoS Vulnerability Existed The first indicator to check is HTTP status codes. This does not...
Read more

Application Level Denial of Service – An In-Depth Guide

Denial of Service attacks that bring down popular websites often involve thousands of hacked consumer devices and servers. While these attacks mainly aim to overwhelm the target system with traffic, in order to deny service to legitimate users, bugs at the Application Layer (Layer 7 in the OSI model) can have the same effect. Application Level Denial of Service (L7 DoS) errors are often tough to identify and sometimes even tougher to prevent. This guide aims to highlight the different techniques that will help you find out what to look for and where DoS conditions may occur. Table of Content Random Access Memory (RAM) Recursion Recursive File Inclusion Zip Bombs Billion Laughs Attack Tricking an Application Into Allocating a Huge Amount of Memory Deserialization Vulnerabilities Manipulating File Headers to Allocate Large Memory Chunks Other Reading Infinite Data Streams Central Processing Unit (CPU) Recursion reDoS SQL Injection Wildcard Attack Fork Bombs Abusing Resource-Intensive Operations Abusing Password Hashing Functions Headless Browser SSRF Disk Space Uploading Large Files Generating a Huge Amount of Databases or Log Files Arbitrary File Deletion Exhaust Allocated Resources for a Single User Email Bomb Free Website Restrictions Cash Overflow Logic-Based Denial of Service X-Forwarded-For Web Application Firewalls Wasting the...
Read more

Researchers use sound to compromise hard drives in new DOS proof-of-concept

In an entirely new twist on the security of hard disk drives (HDDs), a team of researchers from Princeton and Purdue University have released a paper demonstrating how acoustic signals at specific frequencies can compromise devices that rely on HDD technology. Motivated by the insight that computers, closed-circuit television (CCTV) systems, medical bedside monitors, and
Read more

Bad Packets 2017 – A Year in Review

2017 has been another eventful year for denial-of-service attacks.  Radware’s ERT team has monitored a vast number of events, giving me ample opportunities to review and analyze attack patterns to gain further insight into trends and changes in the attack vector landscape. Here is some insight into what we have observed: IoT Botnets Attackers continue The post Bad Packets 2017 – A Year in Review appeared first on Radware Blog.
Read more

Everything You Need to Know About DDoS Attacks

Since the first Denial-of-Service (DoS) attack was launched in 1974, Distributed Denial-of-Service (DDoS) attacks have remained among the most persistent and damaging cyber-attacks. Let’s examine how these attacks have evolved and how your company can mitigate them: DDoS in Review A Denial-of-Service (DoS) attack is an attack targeting the availability of network resources and applications. The post Everything You Need to Know About DDoS Attacks appeared first on Radware Blog.
Read more

My Network has High Cholesterol

5 out of 6 businesses struggle daily with low profile DDoS attacks that consume their bandwidth and resources and pose a burden, resulting in poor service level and customer experience You know how when you get to a certain age, feeling ‘good’ is not good enough? Well it might be good for your everyday life The post My Network has High Cholesterol appeared first on Radware Blog.
Read more