1. DoS (Denial of Service)
Example:
Imagine a website that can handle 100 simultaneous connections. An attacker writes a script that creates 1,000 connections to the website in a rapid succession.
python
import requests for _ in range(1000): requests.get('http://example-website.com')
This basic script will send many requests to “example-website.com”, potentially overwhelming it if it’s not adequately protected.
2. DDoS (Distributed Denial of Service)
Example:
For a DDoS attack, the idea is that multiple sources send a flood of traffic. This can be visualized by imagining hundreds or thousands of devices running the above script simultaneously against a single target. This distributed nature makes it challenging to mitigate since blocking one source doesn’t stop the attack.
Visualization:
Imagine 1,000 devices, each running the aforementioned script, targeting the same website. These devices can be part of a botnet, where each device is running a version of the script, all coordinated to hit at the same time.
3. ReDoS (Regular Expression Denial of Service)
Example:
A website uses a regex pattern to validate user input, such as usernames. A poorly constructed regex can be exploited.
Vulnerable Regex Pattern:
regex
^([a-z]+)+$
Malicious Input:
arduino
"aaaaaaaaaaaX"
For the regex engine, processing this input with the given pattern will cause excessive backtracking, consuming significant computational resources for just this one check. This is because the engine is trying to match the input in many possible ways due to the nested quantifier. An attacker can exploit this inefficiency to cause the server to use up its computational resources, leading to a denial of service.
Leave a Reply