Asymmetric Denial of Service
Need
Prevent single requests from overwhelming the application by using excessive resources, thus causing denial of service.
Context
• Usage of Elixir 1.13.0 for building scalable and fault-tolerant applications
• Usage of Plug and Cowboy for request management
• Usage of a library for handling extensive data processing or resource-intensive tasks
Description
1. Non compliant code
defmodule VulnerableController do
use Plug.Router
plug :match
plug :dispatch
post "/intensive_task" do
intensive_data_processing(conn.params["data"])...The endpoint '/intensive_task' performs intensive data processing which can consume significant system resources. An attacker can exploit this by making repeated or specially crafted requests, causing the system to become overwhelmed and potentially resulting in denial of service.
2. Steps
• Implement rate limiting using the plug_attack package to limit the number of requests a single client can make in a given period of time.
• Implement a timeout for intensive data processing task to prevent operations from consuming resources indefinitely.
• Handle potential errors or exceptions during the data processing to prevent crashes.
3. Secure code example
defmodule SecureController do
use Plug.Router
use PlugAttack
plug :match
plug :dispatch
plug PlugAttack.Blocker, otp_app: :my_app
plug PlugAttack.RateLimiter,...This solution implements rate limiting using the plug_attack package and adds a timeout to the resource-intensive task. These changes help ensure that no single request or user can consume too many resources, thus mitigating the denial of service risk. If the task doesn't finish within the specified time, a 'Server is busy. Please try again later.' message is sent to the client.
References
• 002. Asymmetric Denial of Service