…definition. As I am working on my research project related to denial of service mitigation, I come across the concept of “application DoS.” Sadly, just as many things in security industry, labeled with "application something" (application security monitoring anybody?), this one is not clearly defined. This lack of clarity leads to missed requirements and misplaced trust in security controls.
- Is a “GET /” flood from a bunch of LOIC users an application DoS? Presumably yes.
- Will exploitation of a DoS-level vulnerability (with CVSS “A” impact of “Complete”) qualify? Yes, indeed.
- How about Slowloris or other Apache abuses? Yes.
- What about adding 100,000 items to a web shopping cart? Absolutely.
However, an astute reader will realize that the above malicious activities are very dissimilar in nature, and different technologies might be required for their mitigation. The wide range of what is commonly considered an application denial of service might call for an anti-DoS device (or service) for the #1, NIPS for the #2 and a WAF for the #3 and (likely) #4 as well. Mitigating #4 may also require application stack modifications.
In fact, the last example moves us dangerously close to a potentially “unstoppable” DoS, based on any of the numerous application capabilities where a small action by an untrusted client (request of a search page) triggers a lot of computation, disk I/O, RDBMS queries (database SELECT * FROM command, hashing, etc). Presumably, delivering a useful (and sometimes large) piece of data in response to a small request is what web is largely about and eliminating all such occurrences is impossible. Thus, it is pretty obvious that DoS will ALWAYS be with us…
Related blog posts: