Does it make sense to consider a server software crash, as a DOS attack?
I've found a little vulnerability in a website running on a Node.js server.
It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).
I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).
So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?
denial-of-service
New contributor
add a comment |
I've found a little vulnerability in a website running on a Node.js server.
It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).
I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).
So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?
denial-of-service
New contributor
If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.
– Mike Ounsworth
4 hours ago
As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).
– slebetman
57 mins ago
add a comment |
I've found a little vulnerability in a website running on a Node.js server.
It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).
I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).
So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?
denial-of-service
New contributor
I've found a little vulnerability in a website running on a Node.js server.
It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).
I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).
So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?
denial-of-service
denial-of-service
New contributor
New contributor
New contributor
asked 4 hours ago
MatíasMatías
211
211
New contributor
New contributor
If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.
– Mike Ounsworth
4 hours ago
As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).
– slebetman
57 mins ago
add a comment |
If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.
– Mike Ounsworth
4 hours ago
As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).
– slebetman
57 mins ago
If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.
– Mike Ounsworth
4 hours ago
If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.
– Mike Ounsworth
4 hours ago
As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).
– slebetman
57 mins ago
As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).
– slebetman
57 mins ago
add a comment |
2 Answers
2
active
oldest
votes
Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).
add a comment |
DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.
CVSS even has an example for you:
Due to a flaw in the handler function for RPC commands, it is possible
to manipulate data pointers within the Virtual Machine Executable
(VMX) process. This vulnerability may allow a user in a Guest Virtual
Machine to crash the VMX process resulting in a Denial of Service
(DoS) on the host or potentially execute code on the host.
[empasis mine]
So, yes, a simple crash is a DoS.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Matías is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202481%2fdoes-it-make-sense-to-consider-a-server-software-crash-as-a-dos-attack%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).
add a comment |
Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).
add a comment |
Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).
Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).
answered 4 hours ago
DarkMatterDarkMatter
90711
90711
add a comment |
add a comment |
DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.
CVSS even has an example for you:
Due to a flaw in the handler function for RPC commands, it is possible
to manipulate data pointers within the Virtual Machine Executable
(VMX) process. This vulnerability may allow a user in a Guest Virtual
Machine to crash the VMX process resulting in a Denial of Service
(DoS) on the host or potentially execute code on the host.
[empasis mine]
So, yes, a simple crash is a DoS.
add a comment |
DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.
CVSS even has an example for you:
Due to a flaw in the handler function for RPC commands, it is possible
to manipulate data pointers within the Virtual Machine Executable
(VMX) process. This vulnerability may allow a user in a Guest Virtual
Machine to crash the VMX process resulting in a Denial of Service
(DoS) on the host or potentially execute code on the host.
[empasis mine]
So, yes, a simple crash is a DoS.
add a comment |
DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.
CVSS even has an example for you:
Due to a flaw in the handler function for RPC commands, it is possible
to manipulate data pointers within the Virtual Machine Executable
(VMX) process. This vulnerability may allow a user in a Guest Virtual
Machine to crash the VMX process resulting in a Denial of Service
(DoS) on the host or potentially execute code on the host.
[empasis mine]
So, yes, a simple crash is a DoS.
DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.
CVSS even has an example for you:
Due to a flaw in the handler function for RPC commands, it is possible
to manipulate data pointers within the Virtual Machine Executable
(VMX) process. This vulnerability may allow a user in a Guest Virtual
Machine to crash the VMX process resulting in a Denial of Service
(DoS) on the host or potentially execute code on the host.
[empasis mine]
So, yes, a simple crash is a DoS.
answered 4 hours ago
schroeder♦schroeder
74.5k29163198
74.5k29163198
add a comment |
add a comment |
Matías is a new contributor. Be nice, and check out our Code of Conduct.
Matías is a new contributor. Be nice, and check out our Code of Conduct.
Matías is a new contributor. Be nice, and check out our Code of Conduct.
Matías is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202481%2fdoes-it-make-sense-to-consider-a-server-software-crash-as-a-dos-attack%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.
– Mike Ounsworth
4 hours ago
As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).
– slebetman
57 mins ago