[thelist] Denial of Service attack.... [long-ish reply]

Asegu asegu at borgtech.ca
Mon Oct 27 19:10:43 CST 2003

> Are they easy? Can people just do them from one PC or do they have to get
> a bank of them to "do the deed"
There are software out there pre-made that will do it for you. Which
unfortunatly makes it very easy to do.
With a bit of analysis it is possible to find scripts that take much more
time to process a request then a person needs to send it, then call it
many many times.
More relevant to the world of web might be passing text through a regular
expression like:
 "((.*)\\1.*)\\2" which would recognise something like "aabaab" (in a very
complex fashion) could require a lot of processing (downside of regular
expressions). Personlay to avoid even a remote possibility of DoS, I do a
string length verification of my inputs before doing validation. Send a
few post requests a minute to such scripts parses those and you might end
up over loading the web server to the point where it can't easily parse
requests for others.

Also known are techniques at the TCP level. for example ,If you open part
way a TCP connection and don't complete it, then the connection pool at
the server might get blocked up.

Can a person do them from their PC? That question is largely dependant on
a few points... basicaly it comes down to, can you find a request that
takes a lot more time on the server to process then for your PC to request
and transmit. It could also be dependant on your connection speed compared
to the connection speed at the other end.
Also, if they do it from their own PC, it is usualy very easy to trace
back unless you use forged IP packets with a forged "from" header. For
more details on the implications of that (+defense) I recommend RFC 2827
"Network Ingress Filtering: Defeating Denial of Service Attacks which
employ IP Source Address Spoofing".

Getting a bank of PCs to do a DoS is actualy entering into the territory
of DDoS (distributed denial of service) and that is much more nasty as you
end up with a lot more clients doing a DoS on you, which means a lot more
address to block.

> Read about this "UK" youth who tied up The Port of Houston from his home
> PC?
I did. From what I remember, he was attacking the server to possibly try
and insert a trojan to then amplify his attack on the way to his target. I
didn't look for much more details. It just went in my mind "another

I hope this answers your questions,

More information about the thelist mailing list