Learn, hack!

URL

https://media.blackhat.com/bh-dc-11/Sullivan/BlackHat_DC_2011_Sullivan_Get_Off_of_My_Cloud-Slides.pdf

File name

BlackHat_DC_2011_Sullivan_Get_Off_of_My_Cloud-Slides.pdf

File size

717.1 KB

MD5

5593d7f4e1cc6f5199aee3a63ae24ee5

SHA1

6c0e542c6ee021ab1f03c4cb494dfa4d9dfcc856

Why care about denial-of-service attacks when there are so many privilege elevation and information disclosure threats we should be worried about? For one reason, DoS costs you money: in *aaS environments, there's not only the indirect cost of disrupting your legitimate users' access to the service, but also the more immediate and measurable cost of the bandwidth, storage, and processing power that the attack consumes (and that the platform provider will happily bill you for). We should all care about DoS for another, darker, reason too: a foreign power may someday use a DoS attack as an act of cyberwarfare or cyberterrorism against US critical infrastructure systems. This talk will examine six DoS attack techniques used against cloud services. These attacks all target the application layer of the service, cannot be stopped with firewalls or IPS, do not require distributed attacks or botnets, and are highly efficient and asymmetric. In some cases, a single HTTP request of less than 50 bytes is sufficient to knock out a server until reboot. In addition to describing the attacks, we will also investigate the application design issues that lead to vulnerability, and demonstrate coding fixes and free testing tools that can be used to solve the problem.