Distributed Denial-of-Service attacks targeting popular websites usually originate from thousands of compromised devices. These attacks mainly aim to overwhelm the target system with massive traffic, saturating the communication channel. Such attacks typically belong to Layer 3 (network layer of the ISO/OSI model) DoS/DDoS and are characterized by a huge number of packets sent toward the resource.
Layer 7 (application layer of the ISO/OSI model) DoS/DDoS attacks usually target the “weak points” of a web application.
---
Statistics
To begin with, here is some statistics from a study by Incapsula: since 2016, application-layer DoS/DDoS attacks have been more prevalent than classical network-layer denial-of-service attacks.
The difficulty in detecting such attacks lies in the fact that a web application cannot easily distinguish them from normal traffic. There are many factors that contribute to this difficulty, but one of the most important is that, for various reasons, IP addresses cannot reliably serve as identification data.
During network-layer attacks it is often possible to distinguish illegitimate traffic and block attacking IP addresses. In the case of application-layer attacks, however, this is much more difficult: it is necessary to detect the malicious patterns without blocking legitimate users.
Additionally, simple legitimate usage of a resource can also exhaust its resources — a phenomenon widely known as the “Slashdot effect” (or “Habr effect” in Russian-speaking communities).
---
Main Types of DoS/DDoS Attacks
Volumetric
Volumetric attacks aim to saturate the bandwidth of the web application’s hosting infrastructure by sending massive volumes of network traffic.
This traffic is usually represented by UDP or ICMP floods.
---
Layer 3
These attacks exploit weaknesses in the architecture of the TCP protocol stack.
The attacker sends packets designed to overflow, distort, or corrupt connection state information. This forces the target device to perform additional network-processing work and slows down responses.
Common attack vectors include:
TCP SYN flood
TCP fragmentation
Teardrop attacks
and others.
---
Layer 7
These attacks target the logic of the web application and aim to exhaust the web server’s resources by forcing it to process heavy requests, complex functions, or memory-intensive operations.
---
Application Resources
Most web servers can handle several hundred concurrent users during normal operation. The problem is that a single attacker can generate enough traffic from one host to cause a denial of service for a web application. In such cases, load balancing may not help at all.
Typical resource-exhaustion issues include:
CPU utilization — when CPU usage reaches 99%, other critical processes may stall.
RAM — improper memory allocation, leaks, or exhaustion can starve critical processes.
Processes and threads — deadlocks, uncontrolled forks, or race conditions.
Disk — disk space exhaustion.
---
Memory (RAM) Exhaustion Attacks
RAM is one of the most critical resources of a web server. Several attacks aim specifically to exhaust memory:
Recursion
A simple example of recursive code:
include('current_file.php');
PHP allocates new memory for each inclusion and repeats the process until memory is exhausted. This vulnerability can often be discovered in the form of a Local File Inclusion (LFI).
---
Zip Bombs
Web applications that allow uploading compressed files and extracting their contents may be vulnerable to this attack, especially if the application (or decompression library) does not properly validate the file.
---
XML Bombs
Named entities in XML can expand not only into strings but also into sequences of other entities.
Although recursion is prohibited by the standard, there are no strict limits on nesting depth, which allows attackers to create compact representations of extremely long strings. This forms the basis of the “Billion Laughs” attack.
---
Deserialization
A relatively new but serious attack type included in OWASP Top 10 (2017) A8 – Insecure Deserialization.
Deserialization is the process of reconstructing data structures from a byte stream. Improper validation of user input may lead to resource exhaustion or even remote code execution.
---
File Headers Manipulation
Manipulating file header values may cause resource exhaustion. For example, if the application calculates operations based on the file size stored in its header.
This can apply to:
images
videos
documents
Example: pixel flood attack.
---
Infinite Data Streams
Examples include:
reading /dev/zero
reading /dev/urandom via LFI
downloading extremely large files such as 1 TB speed tests
---
CPU Exhaustion Attacks
CPU is another critical resource of a web server. Attacks that exhaust CPU power can make a web application unresponsive.
ReDoS — Regular Expression Denial of Service
A relatively recent attack type first discovered on StackOverflow.
In one case, a user inserted 20,000 whitespace characters into a code snippet. The regular expression used by the system forced it to perform about 200,010,000 operations when validating that string.
If a web application allows users to input regular expressions, incoming data must be carefully validated.
---
SQL Injection
Exploiting SQL injection vulnerabilities may significantly degrade application performance, especially when using functions such as:
SLEEP()
BENCHMARK()
---
Fork Bombs
Processes that repeatedly spawn themselves until system resources are fully consumed.
A famous example:
){ :|:& };:
---
Resource / Function Abuse
An attacker may identify a resource-intensive operation within the web application and repeatedly trigger it to exhaust system resources.
Example: abusing password hashing functions.
---
SSRF (Server-Side Request Forgery)
Exploiting SSRF vulnerabilities can allow attackers to force the server to perform numerous internal requests, potentially exhausting its resources.
---
Disk Space Exhaustion
Disk space is also a critical parameter of a web server.
Uploading Large Files
Самый очевидный способ заполнить дисковое пространство — это загрузка больших файлов. Если приложение не устанавливает надлежащие ограничения, злоумышленник может загружать данные до тех пор, пока на сервере не закончится место на диске.
---
Переполнение лог-файлов
Если не реализована ротация журналов, злоумышленники могут перегрузить системные журналы или инициировать создание избыточного количества записей в журналах, что в конечном итоге приведет к исчерпанию дискового пространства.
---
Инструменты для тестирования веб-приложений
Я намеренно избегу обсуждения узкоспециализированных инструментов, таких как LOIC/HOIC, которые обычно предназначены для дестабилизации конкретных веб-приложений.
Злонамеренное использование следующих инструментов является незаконным и может повлечь за собой юридические последствия в зависимости от законодательства вашей страны. Используйте эти инструменты только для тестирования собственных серверов или серверов, на использование которых у вас есть явное разрешение от владельца.
Примерами инструментов тестирования являются:
Slowloris — известный инструмент для тестирования; для Nmap также существует скрипт NSE.
HULK (HTTP Unbearable Load King) — генерирует большой поток уникальных запросов, предназначенных для максимального использования ресурсов сервера. Чтобы усложнить фильтрацию, HULK:
изменяет пользовательский агент для каждого запроса.
скрывает источник перехода.
использует no-ache и keep-alive.
генерирует уникальные URL-адреса.
OWASP DoS HTTP POST — инструмент от консорциума OWASP для генерации «медленных» HTTP-запросов.
Инструмент GoldenEye для выявления атак типа «отказ в обслуживании» по протоколу HTTP — использует уязвимости HTTP Keep-Alive + NoCache.
---
Меры профилактической защиты
Хорошей профилактической мерой для защиты веб-приложений является нагрузочное тестирование.
Для анализа времени отклика системы при высоких или пиковых нагрузках проводится стресс-тестирование, при котором нагрузка на систему превышает нормальные сценарии эксплуатации.
Основная цель нагрузочного тестирования — смоделировать ожидаемую нагрузку на систему (например, с помощью виртуальных пользователей или их действий) и наблюдать за показателями производительности системы.
Это позволяет разработчикам и администраторам:
выявить узкие места,
Укрепить слабые места в веб-приложении.
снизить риск будущих перебоев в предоставлении услуг.
Layer 7 (application layer of the ISO/OSI model) DoS/DDoS attacks usually target the “weak points” of a web application.
---
Statistics
To begin with, here is some statistics from a study by Incapsula: since 2016, application-layer DoS/DDoS attacks have been more prevalent than classical network-layer denial-of-service attacks.
The difficulty in detecting such attacks lies in the fact that a web application cannot easily distinguish them from normal traffic. There are many factors that contribute to this difficulty, but one of the most important is that, for various reasons, IP addresses cannot reliably serve as identification data.
During network-layer attacks it is often possible to distinguish illegitimate traffic and block attacking IP addresses. In the case of application-layer attacks, however, this is much more difficult: it is necessary to detect the malicious patterns without blocking legitimate users.
Additionally, simple legitimate usage of a resource can also exhaust its resources — a phenomenon widely known as the “Slashdot effect” (or “Habr effect” in Russian-speaking communities).
---
Main Types of DoS/DDoS Attacks
Volumetric
Volumetric attacks aim to saturate the bandwidth of the web application’s hosting infrastructure by sending massive volumes of network traffic.
This traffic is usually represented by UDP or ICMP floods.
---
Layer 3
These attacks exploit weaknesses in the architecture of the TCP protocol stack.
The attacker sends packets designed to overflow, distort, or corrupt connection state information. This forces the target device to perform additional network-processing work and slows down responses.
Common attack vectors include:
TCP SYN flood
TCP fragmentation
Teardrop attacks
and others.
---
Layer 7
These attacks target the logic of the web application and aim to exhaust the web server’s resources by forcing it to process heavy requests, complex functions, or memory-intensive operations.
---
Application Resources
Most web servers can handle several hundred concurrent users during normal operation. The problem is that a single attacker can generate enough traffic from one host to cause a denial of service for a web application. In such cases, load balancing may not help at all.
Typical resource-exhaustion issues include:
CPU utilization — when CPU usage reaches 99%, other critical processes may stall.
RAM — improper memory allocation, leaks, or exhaustion can starve critical processes.
Processes and threads — deadlocks, uncontrolled forks, or race conditions.
Disk — disk space exhaustion.
---
Memory (RAM) Exhaustion Attacks
RAM is one of the most critical resources of a web server. Several attacks aim specifically to exhaust memory:
Recursion
A simple example of recursive code:
include('current_file.php');
PHP allocates new memory for each inclusion and repeats the process until memory is exhausted. This vulnerability can often be discovered in the form of a Local File Inclusion (LFI).
---
Zip Bombs
Web applications that allow uploading compressed files and extracting their contents may be vulnerable to this attack, especially if the application (or decompression library) does not properly validate the file.
---
XML Bombs
Named entities in XML can expand not only into strings but also into sequences of other entities.
Although recursion is prohibited by the standard, there are no strict limits on nesting depth, which allows attackers to create compact representations of extremely long strings. This forms the basis of the “Billion Laughs” attack.
---
Deserialization
A relatively new but serious attack type included in OWASP Top 10 (2017) A8 – Insecure Deserialization.
Deserialization is the process of reconstructing data structures from a byte stream. Improper validation of user input may lead to resource exhaustion or even remote code execution.
---
File Headers Manipulation
Manipulating file header values may cause resource exhaustion. For example, if the application calculates operations based on the file size stored in its header.
This can apply to:
images
videos
documents
Example: pixel flood attack.
---
Infinite Data Streams
Examples include:
reading /dev/zero
reading /dev/urandom via LFI
downloading extremely large files such as 1 TB speed tests
---
CPU Exhaustion Attacks
CPU is another critical resource of a web server. Attacks that exhaust CPU power can make a web application unresponsive.
ReDoS — Regular Expression Denial of Service
A relatively recent attack type first discovered on StackOverflow.
In one case, a user inserted 20,000 whitespace characters into a code snippet. The regular expression used by the system forced it to perform about 200,010,000 operations when validating that string.
If a web application allows users to input regular expressions, incoming data must be carefully validated.
---
SQL Injection
Exploiting SQL injection vulnerabilities may significantly degrade application performance, especially when using functions such as:
SLEEP()
BENCHMARK()
---
Fork Bombs
Processes that repeatedly spawn themselves until system resources are fully consumed.
A famous example:
){ :|:& };:---
Resource / Function Abuse
An attacker may identify a resource-intensive operation within the web application and repeatedly trigger it to exhaust system resources.
Example: abusing password hashing functions.
---
SSRF (Server-Side Request Forgery)
Exploiting SSRF vulnerabilities can allow attackers to force the server to perform numerous internal requests, potentially exhausting its resources.
---
Disk Space Exhaustion
Disk space is also a critical parameter of a web server.
Uploading Large Files
Самый очевидный способ заполнить дисковое пространство — это загрузка больших файлов. Если приложение не устанавливает надлежащие ограничения, злоумышленник может загружать данные до тех пор, пока на сервере не закончится место на диске.
---
Переполнение лог-файлов
Если не реализована ротация журналов, злоумышленники могут перегрузить системные журналы или инициировать создание избыточного количества записей в журналах, что в конечном итоге приведет к исчерпанию дискового пространства.
---
Инструменты для тестирования веб-приложений
Я намеренно избегу обсуждения узкоспециализированных инструментов, таких как LOIC/HOIC, которые обычно предназначены для дестабилизации конкретных веб-приложений.
Злонамеренное использование следующих инструментов является незаконным и может повлечь за собой юридические последствия в зависимости от законодательства вашей страны. Используйте эти инструменты только для тестирования собственных серверов или серверов, на использование которых у вас есть явное разрешение от владельца.
Примерами инструментов тестирования являются:
Slowloris — известный инструмент для тестирования; для Nmap также существует скрипт NSE.
HULK (HTTP Unbearable Load King) — генерирует большой поток уникальных запросов, предназначенных для максимального использования ресурсов сервера. Чтобы усложнить фильтрацию, HULK:
изменяет пользовательский агент для каждого запроса.
скрывает источник перехода.
использует no-ache и keep-alive.
генерирует уникальные URL-адреса.
OWASP DoS HTTP POST — инструмент от консорциума OWASP для генерации «медленных» HTTP-запросов.
Инструмент GoldenEye для выявления атак типа «отказ в обслуживании» по протоколу HTTP — использует уязвимости HTTP Keep-Alive + NoCache.
---
Меры профилактической защиты
Хорошей профилактической мерой для защиты веб-приложений является нагрузочное тестирование.
Для анализа времени отклика системы при высоких или пиковых нагрузках проводится стресс-тестирование, при котором нагрузка на систему превышает нормальные сценарии эксплуатации.
Основная цель нагрузочного тестирования — смоделировать ожидаемую нагрузку на систему (например, с помощью виртуальных пользователей или их действий) и наблюдать за показателями производительности системы.
Это позволяет разработчикам и администраторам:
выявить узкие места,
Укрепить слабые места в веб-приложении.
снизить риск будущих перебоев в предоставлении услуг.
