Queue based DoS x monkeyuser.com

monkey-user-queue-based-dos

 

A mischievous joke to those who need a cup of coffee to take off, and there is a long queue to the only coffee machine on the floor… A truly evil person turning on the machine cleaning mode which takes almost one hour to complete.

 

Now, think about all coffee machines in each kitchen at all floors simultaneously occupied by a long line of evil co-workers.

 

Don’t let anyone make a fool out of you, not only on April Fools’ Day.
Make sure that the applications you create are secure. Download our free Mobile Application Security Guide

 

Read more and check our tips.

 

 

Denial-of-service attack (DoS attack) is an attack in which the perpetrator’s aim is to prevent a web application from operating normally. The attacker can perform a DoS attack by sending heavy network traffic to the application or exploiting an application level bottlenecks.

 

An application level DoS for example can be caused by sending HTTP requests which abuse web application’s function and take long time to execute (some kind of bottleneck is present) and return response (e.g. when an application uses “heavy” SQL queries).

 

Distributed Denial of Service (DDoS) attack takes place when more than one machine is used to perform the DoS attack.

 

 

Surely you’ve heard about the following DoS attacks:

 

– During the opening ceremony of the Winter Olympics 2018 in PyeongChang, Russian hackers attacked and caused, among others, a 12-hour downtime in printing tickets and the website operation. The bug responsible for the DoS attack was named the “Olympic Destroyer”.

 

– During the presidential campaign in the USA: attempts to DDoS attack on websites of Hillary Clinton and Donald Trump campaigns have been made several times and via the Mirai Botnet classified as 7 Layers (HTTP).

 

– Another Mirai botnet use case which targeted Dyn (DNS service provider) in result services like GitHub, Twitter, Reddit, Netflix, Airbnb where not available.

 

 

Interesting application level DoS vectors:

 

 

Stay alert not only on April Fools’ Day:

  • Validate the application input (numbers, SQL query filters, image size etc., xml files)
  • Monitor and test application performance (and eliminate bottlenecks)
  • Find possible application level DoS attack vectors during professional penetration testing

 

Install a camera and carefully monitor the queue near coffee machines, increase supply of coffee machines if needed. Stay sharp, focused, and drink coffee.

 

Subscribe our newsletter and stay in touch with us!

 

Follow us on Twitter | Medium | Facebook | LinkedIn | GitHub

 

The comics were created in collaboration with monkeyuser.com

Stay tuned!

  • Articles and free security guides
  • Reports
  • Presentations and news from conferences around the world
Providing personal data is voluntary. We will send the newsletter until the consent is withdrawn (You can withdraw your consent at any time). Your data will be processed for a period specified in the Privacy Policy available at the following URL.
The Data Controller is SecuRing SJ with the registered office at ul. Kalwaryjska 65/6, 30-504 Kraków. I have the right to withdraw my consent at any time (by sending an e-mail to the address info@SecuRing.pl or by phone: +48 (12) 425 25 75). I have the right to access, rectify, erase or limit the processing of my personal data, the right to object, the right to file a complaint with the supervisory authority and right to transfer data. The legal basis for the processing of personal data is Article 6 (1) (a) of the General Data Protection Regulation (GDPR).
The Data Controller uses various IT solutions that allow for more efficient communication and cooperates with entities supporting it in its business and IT processes (i.e. these companies are data recipients/processors). Data are not transferred outside the European Economic Area. These companies have signed appropriate contracts for entrustment of personal data processing.
Thank you for subscribing.
Something went wrong.
Please contact us by phone.