Hackthissite attacked

General technological topics without their own forum go here

Re: Hackthissite attacked

Post by cruisegirl713 on Thu Dec 23, 2010 11:00 am
([msg=50987]see Re: Hackthissite attacked[/msg])

For those that are noobs trying to learn

so basically it was something called a Dos level 7 where basically one connection hogs all the memory?? By sending a bunch of requests and whatnot? and Apache basically doesn't protect against this overload of requests?
cruisegirl713
New User
New User
 
Posts: 19
Joined: Thu Dec 16, 2010 12:03 am
Blog: View Blog (0)


Re: Hackthissite attacked

Post by OnlyHuman on Thu Dec 23, 2010 11:18 am
([msg=50988]see Re: Hackthissite attacked[/msg])

thetan will have to correct me on this if I'm wrong, but if I understood him correctly, this particular attack was what's known as a Layer 7 Slow Post Attack. It's certainly not the only Layer 7 attack out there, but it is the only one I've heard of that works the way in which it does. Basically, a post request is sent to a server that claims its size of relatively small, but what actually gets sent is significantly larger. An example might be, that the request says the data is 368 bytes, but the actual posted content is somewhere near 2GB. Due to design, this tricks the server into leaving the connection open for the entire 2GB payload. Thus requiring less requests to be sent to the server than many other DDoS attacks. It usually does originate from a single source connection as well, but the source address of each request that is sent to the server is spoofed, which tricks the server into believing it comes from many more. And, has the potential to add another level of impact to the attack.

EDIT

I just realized that the above strike-through text above is dead wrong. Just ignore it. This attack works by leaving the connection open by sending the correct amount of data over an extremely long period of time. The document I reread about it said something like 1 byte every 110 seconds. Slow POST attack. Duh! I get it. Man I'm dumb. Enjoy the laugh those who found it funny to watch me stumble through that. The goal is still the same, I had the method confused though.
Last edited by OnlyHuman on Thu Dec 23, 2010 2:13 pm, edited 3 times in total.
OnlyHuman
Poster
Poster
 
Posts: 191
Joined: Sat Aug 22, 2009 1:37 am
Blog: View Blog (0)


Re: Hackthissite attacked

Post by cruisegirl713 on Thu Dec 23, 2010 11:25 am
([msg=50990]see Re: Hackthissite attacked[/msg])

Thanks for the reply! I;m assuming this deceptive request is sent many times :D

looked it up and for anyone else interested and not understanding,

http://blog.spiderlabs.com/2010/11/adva ... tacks.html
cruisegirl713
New User
New User
 
Posts: 19
Joined: Thu Dec 16, 2010 12:03 am
Blog: View Blog (0)


Re: Hackthissite attacked

Post by OnlyHuman on Thu Dec 23, 2010 11:40 am
([msg=50991]see Re: Hackthissite attacked[/msg])

Well many requests are sent, but they don't have to happen one right after the other. They can all be sent concurrently, if the attacker understands threads. Otherwise yes, the same request would be repeated many times. But, since the payload is so large, and the resource consumption happens so rapidly, it requires far less requests than many other forms of attack.

lol. I don't know. I'm guessing, due to design, this particular attack relies on concurrent connections from the same machine, or a single connection from several machines at once? Your guess is as good as mine on that. Just a logical assumption though, considering it would otherwise take an extremely long time for the requests to complete from both ends.

*sits back and waits for somebody else to give you the right answer*

edited due to Human error
OnlyHuman
Poster
Poster
 
Posts: 191
Joined: Sat Aug 22, 2009 1:37 am
Blog: View Blog (0)


Re: Hackthissite attacked

Post by thetan on Thu Dec 23, 2010 9:12 pm
([msg=51008]see Re: Hackthissite attacked[/msg])

it's all about making threads eat up memory.

Apache is implemented so it spawns one thread per connection, each thread for any program allocates ~8mb of memory just for stack space so it can call functions and track it's trace so they know where to return and what state that function was left in.

So the point is to make the server spawn a shit ton of threads (threads allocate large chucks of mem just to run) and hold it open for as long as possible (this is where the slow part comes in).

However, the concept of allocating a single thread per connection is no longer required to maintain thousands of connections concurrently. Non-blocking IO is a method to handle thousands of connections within a single thread of execution efficiently and concurrently with a small (typically 2-8) pool of static threads without.

So it's the act of using a small number of threads client side (so you don't DoS yourself) to make a server open and hold open an outrageous pool of threads that will eat up a shit ton of memory.
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Previous

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron