Asymmetric denial of service
Need
The need is to implement measures that prevent or mitigate asymmetric denial of service attacks, ensuring the server remains responsive and available to legitimate users.
Context
• Usage of Java 8 for developing applications with enhanced features and performance
• Usage of javax.servlet-api for developing Java web applications with servlets
Description
1. Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
public class VulnerableServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
if (param != null) {...The above servlet `VulnerableServlet` is vulnerable to an asymmetric denial of service attack. It's a simple HTTP servlet that listens for GET requests. When it receives a request, it checks if the request contains a parameter named "param". If it does, it enters an infinite loop that writes a large number of responses back to the client. The vulnerability lies in the loop. By setting the loop to iterate `Integer.MAX_VALUE` times, it's possible to send a single request that will cause the server to generate an enormous number of responses. This is an example of an amplification attack, where a single request can consume a large amount of server resources. Additionally, if a malicious request is sent with a very large "param" value, it can cause the server to consume all of its available memory, causing it to become unresponsive. This is a type of denial of service attack. This code is vulnerable because it does not limit the number of responses it can generate from a single request, and it does not validate or limit the size of the "param" value. This allows an attacker to send a single request that can consume all of the server's resources, causing a denial of service.
2. Steps
• Implement rate limiting to prevent amplification attacks
• Validate and sanitize user input to prevent malicious requests
• Implement resource limits to prevent excessive resource consumption
3. Secure code example
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.commons.lang3.StringUtils;
...The above code is a secure version of the original servlet. It implements rate limiting, input validation, and resource limits to prevent asymmetric denial of service attacks. 1. **Rate Limiting**: The `requestCount` variable is used to count the number of requests received per second. If the count exceeds `MAX_REQUESTS_PER_SECOND`, the server responds with a 429 (Too Many Requests) error. The count is reset every second by a background thread started in the `init` method. 2. **Input Validation**: The `param` request parameter is validated using the `StringUtils.isNumeric` method from Apache Commons Lang. If the parameter is not a valid number, the server responds with a 400 (Bad Request) error. 3. **Resource Limits**: The `param` request parameter is also used to limit the number of responses generated by the server. If the parameter value exceeds 1000, the server responds with a 400 (Bad Request) error. This prevents a single request from consuming an excessive amount of server resources. By implementing these measures, the server can effectively mitigate the risk of asymmetric denial of service attacks.
References
• 002. Asymmetric denial of service