Security Testing 简明教程

Security Testing - Denial of Service

拒绝服务 (DoS) 攻击是黑客让网络资源不可用的尝试。它通常会暂时或无限期地中断连接到互联网的主机。此类攻击通常针对托管在关键任务 Web 服务器(例如,银行、信用卡支付网关)上的服务。

Denial of Service (DoS) attack is an attempt by hackers to make a network resource unavailable. It usually interrupts the host, temporary or indefinitely, which is connected to the internet. These attacks typically target services hosted on mission critical web servers such as banks, credit card payment gateways.

Symptoms of DoS

  1. Unusually slow network performance.

  2. Unavailability of a particular web site.

  3. Inability to access any web site.

  4. Dramatic increase in the number of spam emails received.

  5. Long term denial of access to the web or any internet services.

  6. Unavailability of a particular website.

Hands ON

Step 1 − 启动 WebGoat 并导航到“拒绝服务”部分。该场景的快照如下所示。我们通过突破最大 DB 线程池大小来多次登录那里。

Step 1 − Launch WebGoat and navigate to 'Denial of Service' section. The snapshot of the scenario is given below. We need to login multiple times there by breaching maximum DB thread pool size.

dos

Step 2 − 首先我们需要获取有效登录的列表。在这种情况下,我们使用 SQL 注入。

Step 2 − First we need to get the list of valid logins. We use SQL Injection in this case.

dos1

Step 3 − 如果尝试成功,那么它会向用户显示所有有效凭据。

Step 3 − If the attempt is successful, then it displays all valid credentials to the user.

dos3

Step 4 − 现在使用其中每个用户登录,至少在 3 个不同的会话中,以便成功执行 DoS 攻击。正如我们所知,DB 连接只能处理两个线程,通过使用所有登录,它将创建三个线程,从而使攻击成功。

Step 4 − Now login with each one of these user in at least 3 different sessions in order to make the DoS attack successful. As we know that DB connection can handle only two threads, by using all logins it will create three threads which makes the attack successful.

dos4

Preventive Mechanisms

  1. Perform thorough input validations.

  2. Avoid highly CPU consuming operations.

  3. It is better to separate data disks from system disks.