Does it make sense to consider a server software crash, as a DOS attack?












4















I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?










share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    4 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    57 mins ago
















4















I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?










share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    4 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    57 mins ago














4












4








4








I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?










share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?







denial-of-service






share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









MatíasMatías

211




211




New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    4 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    57 mins ago



















  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    4 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    57 mins ago

















If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

– Mike Ounsworth
4 hours ago







If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

– Mike Ounsworth
4 hours ago















As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

– slebetman
57 mins ago





As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

– slebetman
57 mins ago










2 Answers
2






active

oldest

votes


















6














Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






share|improve this answer































    2














    DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



    CVSS even has an example for you:




    Due to a flaw in the handler function for RPC commands, it is possible
    to manipulate data pointers within the Virtual Machine Executable
    (VMX) process. This vulnerability may allow a user in a Guest Virtual
    Machine to crash the VMX process resulting in a Denial of Service
    (DoS) on the host or potentially execute code on the host.
    [empasis mine]




    So, yes, a simple crash is a DoS.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      Matías is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202481%2fdoes-it-make-sense-to-consider-a-server-software-crash-as-a-dos-attack%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      6














      Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






      share|improve this answer




























        6














        Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






        share|improve this answer


























          6












          6








          6







          Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






          share|improve this answer













          Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 4 hours ago









          DarkMatterDarkMatter

          90711




          90711

























              2














              DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



              CVSS even has an example for you:




              Due to a flaw in the handler function for RPC commands, it is possible
              to manipulate data pointers within the Virtual Machine Executable
              (VMX) process. This vulnerability may allow a user in a Guest Virtual
              Machine to crash the VMX process resulting in a Denial of Service
              (DoS) on the host or potentially execute code on the host.
              [empasis mine]




              So, yes, a simple crash is a DoS.






              share|improve this answer




























                2














                DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



                CVSS even has an example for you:




                Due to a flaw in the handler function for RPC commands, it is possible
                to manipulate data pointers within the Virtual Machine Executable
                (VMX) process. This vulnerability may allow a user in a Guest Virtual
                Machine to crash the VMX process resulting in a Denial of Service
                (DoS) on the host or potentially execute code on the host.
                [empasis mine]




                So, yes, a simple crash is a DoS.






                share|improve this answer


























                  2












                  2








                  2







                  DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



                  CVSS even has an example for you:




                  Due to a flaw in the handler function for RPC commands, it is possible
                  to manipulate data pointers within the Virtual Machine Executable
                  (VMX) process. This vulnerability may allow a user in a Guest Virtual
                  Machine to crash the VMX process resulting in a Denial of Service
                  (DoS) on the host or potentially execute code on the host.
                  [empasis mine]




                  So, yes, a simple crash is a DoS.






                  share|improve this answer













                  DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



                  CVSS even has an example for you:




                  Due to a flaw in the handler function for RPC commands, it is possible
                  to manipulate data pointers within the Virtual Machine Executable
                  (VMX) process. This vulnerability may allow a user in a Guest Virtual
                  Machine to crash the VMX process resulting in a Denial of Service
                  (DoS) on the host or potentially execute code on the host.
                  [empasis mine]




                  So, yes, a simple crash is a DoS.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 4 hours ago









                  schroederschroeder

                  74.5k29163198




                  74.5k29163198






















                      Matías is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      Matías is a new contributor. Be nice, and check out our Code of Conduct.













                      Matías is a new contributor. Be nice, and check out our Code of Conduct.












                      Matías is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202481%2fdoes-it-make-sense-to-consider-a-server-software-crash-as-a-dos-attack%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      How to make a Squid Proxy server?

                      Is this a new Fibonacci Identity?

                      19世紀