Application Level Denial of Service – A Comprehensive Guide

Denial of Service attacks that bring down popular websites often involve thousands of hacked consumer devices and servers. While these attacks mainly aim to overwhelm the target system with traffic, in order to deny service to legitimate users, bugs at the Application Layer (Layer 7 in the OSI model) can have the same effect.

Application Level Denial of Service (L7 DoS) errors are often tough to identify and sometimes even tougher to prevent. This guide aims to highlight the different techniques that will help you find out what to look for and where DoS conditions may occur.

Table of Content

1. Random Access Memory (RAM)

1. Recursion

• Recursive File Inclusion

• Zip Bombs

• Billion Laughs Attack

1. Tricking an Application Into Allocating a Huge Amount of Memory

• Deserialization Vulnerabilities

• Manipulating File Headers to Allocate Large Memory Chunks

1. Other

• Reading Infinite Data Streams

1. Central Processing Unit (CPU)

1. Recursion

• reDoS

• SQL Injection Wildcard Attack

• Fork Bombs

1. Abusing Resource-Intensive Operations

• Abusing Password Hashing Functions

• Headless Browser SSRF

1. Disk Space

• Uploading Large Files

• Generating a Huge Amount of Databases or Log Files

• Arbitrary File Deletion

1. Exhaust Allocated Resources for a Single User

• Email Bomb

• Free Website Restrictions

• Cash Overflow

1. Logic-Based Denial of Service

• X-Forwarded-For

• Web Application Firewalls

• Wasting the Available Password Attempts

• Cookie Bombs

1. Basic Tips and Tricks to Identify & Prevent Application DoS Attacks

Source: https://www.netsparker.com/blog/web-security/application-level-denial-service-guide/?utm_source=hs_email