[VIM] standards for inclusion of DoS attacks

Matthew Murphy mattmurphy at kc.rr.com
Sat Jan 7 16:53:26 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Brian,

On servers, gateways, etc. (multi-user infrastructure of any kind,
really), the "Apache standard" is a good starting point.

- From the Apache Software Foundation's "Security Reports" page
(http://httpd.apache.org/security_report.html):

"Note that all networked servers are subject to denial of service
attacks, and we cannot promise magic workarounds to generic problems
(such as a client streaming lots of data to your server, or
re-requesting the same URL repeatedly). In general our philosophy is to
avoid any attacks which can cause the server to consume resources in a
non-linear relationship to the size of inputs."

In general, I would treat memory leaks, crashes, or non-linear resource
uses as listable issues.  This seems to be a relative standard.

The more interesting issues are client-side.  Most people don't treat
the ability to cause a memory leak or a crash in a client-side app as a
serious security issue.  That's because there's no repeat factor in a
client app.  The client has to return to whatever resource crashed it
previously.

Exceptions to this include so-called persistent attacks, where a single
viewing of a malicious resource renders the client application unusable
for a lengthy time period.

Also up in the air is an attack against a semi-passive client.  Let's
use Instant Messaging as an example.  It's unclear if it would be
considered a vulnerability for me to be able to crash client-side
applications by actually sending their users data.  In that case, the
active party is the attacker, not the victim.

So, in summary:
* Crash, reproducible memory leak, or non-linear resource consumption is
a prerequisite of a DoS being a security issue.  On servers, this
appears to be the standard for what is a security issue.

* Persistent, continual effects of the attack probably indicate a
security issue.

* If there's a means for the attacker to initiate the attack, it might
be a security issue.  Instant Messengers, for instance, would be an
example.  More up in the air are things like e-mail.  In those cases,
the client would still have to download a message, so the attack isn't
fully automatic from a delivery point-of-view.

The standard disclaimer applies (this is really my opinion and based on
my limited personal experience, use it at your own risk, etc.), but I
hope that it helps.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDwDhWfp4vUrVETTgRA+4EAJ0UyqxSFhjMAKd8vs3AXYesdbtoRACfeqMJ
tsW20kqPwhXHcOCuSHcroRg=
=bpfr
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.attrition.org/pipermail/vim/attachments/20060107/f954924a/attachment.bin 


More information about the VIM mailing list