[VIM] standards for inclusion of DoS attacks

Matthew Murphy mattmurphy at kc.rr.com
Sat Jan 7 16:53:26 EST 2006

Hash: RIPEMD160


On servers, gateways, etc. (multi-user infrastructure of any kind,
really), the "Apache standard" is a good starting point.

- From the Apache Software Foundation's "Security Reports" page

"Note that all networked servers are subject to denial of service
attacks, and we cannot promise magic workarounds to generic problems
(such as a client streaming lots of data to your server, or
re-requesting the same URL repeatedly). In general our philosophy is to
avoid any attacks which can cause the server to consume resources in a
non-linear relationship to the size of inputs."

In general, I would treat memory leaks, crashes, or non-linear resource
uses as listable issues.  This seems to be a relative standard.

The more interesting issues are client-side.  Most people don't treat
the ability to cause a memory leak or a crash in a client-side app as a
serious security issue.  That's because there's no repeat factor in a
client app.  The client has to return to whatever resource crashed it

Exceptions to this include so-called persistent attacks, where a single
viewing of a malicious resource renders the client application unusable
for a lengthy time period.

Also up in the air is an attack against a semi-passive client.  Let's
use Instant Messaging as an example.  It's unclear if it would be
considered a vulnerability for me to be able to crash client-side
applications by actually sending their users data.  In that case, the
active party is the attacker, not the victim.

So, in summary:
* Crash, reproducible memory leak, or non-linear resource consumption is
a prerequisite of a DoS being a security issue.  On servers, this
appears to be the standard for what is a security issue.

* Persistent, continual effects of the attack probably indicate a
security issue.

* If there's a means for the attacker to initiate the attack, it might
be a security issue.  Instant Messengers, for instance, would be an
example.  More up in the air are things like e-mail.  In those cases,
the client would still have to download a message, so the attack isn't
fully automatic from a delivery point-of-view.

The standard disclaimer applies (this is really my opinion and based on
my limited personal experience, use it at your own risk, etc.), but I
hope that it helps.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

Version: GnuPG v1.4.2 (MingW32)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.attrition.org/pipermail/vim/attachments/20060107/f954924a/attachment.bin 

More information about the VIM mailing list