Denial of Service the Series: Part 2 – Survey Responses (1/2)
So here we go... I know some people have been waiting to see these numbers so it's about time I share them. In the end 279 people responded to the survey, and I'm fairly happy about the responses... only one of those 279 used the comments inappropriately but I've still counted the drop down boxes from that survey. There were 204 anonymous responses and 75 with names, email addresses or websites attached to them. People that follow me on twitter may have noted last night that I was really enjoying the comments. Based on the comments to the first question I had done a quick estimate, expecting ~600 comments... however the numbers dwindled on the following comments and picked up again for the last question. In the end I received 250 comments in addition to the survey responses. I haven't yet decided if I'll make the survey data available but if I do, I'll definitely remove all personal information.
The survey posed 9 questions and allowed for plenty of space to provide comments, so I was really excited to see the answers that I would get. Some people felt my questions biased the responses (I believe it's impossible to do anything without introducing personal bias on some level) and others questioned what I was trying to get at. I think I'll start by summing that up as simply as I can. If someone causes me to lose access to something, I believe they've denied me service and it is therefore a denial of service. I've seen all sorts of responses that it depends on if the denial was malicious or accidental, that it only applies to servers and so forth. I think it's much simpler than that... if I visit a website and it crashes my browser... Denial of Service. If I run a web server and someone crashes it... Denial of Service. So I wanted to know who shared my opinion and how people felt about Denial of Service.
For this post I'm going to provide graphs of the responses, mapping response to profession and some minor feedback.
Question 1 - Is Denial of Service a Vulnerability
I found it very interesting that the answer was almost universally 'Yes' followed by 'Sometimes', the exception being Developers who never acknowledged the sometimes situation. As you can see I left in those people that chose not to respond as well as the people who selected 'See Note Below', this is the case for all of these graphs and I should make it clear that many people who didn't select 'See Note Below' also left comments. I'm going to leave the comments anonymous as I post them, but if you had a comment that I share and you want your name attached to it, feel free to let me know.
If it is caused by a hardware/software flaw, then yes. If it is simply a flooding of resources, then no. - IT Professional/Sometimes
Denial of Service is an attack which exploits different types of vulnerabilities in systems. - Security Researcher/No
Can't be. DoS is an external threat, executed by an external threat agent (one hopes). DoS can exploit a vulnerability, but is not itself the vulnerability. - IS Professional/No
A denial of service is a vulnerability if it affects other users of the service/system. E.g. If I can crash httpd (affecting many users) then it is a security issue. If I can crash Word, affecting only myself, then it is a stability issue. - Security Researcher/See Note Below
DoS is a vulnerability when you can DoS a system because of a bug in the system (buffer overflow, lack of input validation, etc.). It is not a vulnerability when you can DoS a system because it lacks some resources to handle the load. - Other/See Note Below
If I can send something to a webserver and make it crash it's a vulnerability. If I hose the webserver with 'normal' requests and thereby making it unavailable to regular visitors," that's not a vulnerability of the webserver. - Security Researcher/Sometimes
i.e. If there is a system call that derefences a NULL pointer and crashes the system that is definitely a vulnerability. However if all their bandwidth is taking up with ICMP echo packets that is more of a problem with the infrastructure itself. - Security Researcher / Sometimes
I believe DoS to be a vulnerability if you take into consideration the CIA triad. It goes against the availability issue of security and this can create a vulnerability. - Security Researcher/Yes
Everything that affects the availability of a system can be considered as a vulnerability according to the CIA triad. - IS Professional/Yes
Technically, DoS is the result of an attack against one or more vulnerabilities. The impact of a DoS affects availability, which is one part of the CIA triad. The CIA triad is the core of the most widely accepted model of information security. - Security Researcher/See Note Below
If a DoS can be triggered remotely, pre-auth and with a single packet or otherwise low ratio of attack traffic then yes. - Security Researcher/See Note Below
This question had so many responses that it was hard to simply choose a few... which make end up making this post extremely long. Anyways, as you can see opinions are completely varied... from every DoS is a vuln to only if it affects a network service depending on who you ask. I included three quotes that mentioned CIA, CIA comes up time and time again in the responses (as I would have expected) , so I was really intrigued at later questions when I mentioned CIA and people asked what I was referring to in their comments.
Question 2 - Is Denial of Service a Security Issue
The answer was pretty much what I expected with this one, that the majority (71% - Yes + 18% - Sometimes + Several Notes) saying that DoS is at least sometimes a security issue. Only 2.5% of responses said that Denial of Service wasn't a security issue.
No.. because it doesn't involves stealing any data.. It is more of Service Issue ( where in the various services, mail , www, ) are clogged with invariable requests - IT Professional/See Note Below
For this question, I'm centering out that single response, beyond this there were plenty of comments regarding CIA and a number of "of course it does" comments, but the response above is interesting. The belief above is seems to be that it is only a security issue when data is being stolen and that's something that I definitely don't agree with. Out of curiosity, does anyone reading this agree with that comment, and if so, why? I'd love to hear the response.
Question 3 - Should InfoSec Ignore Denial of Service
To be honest, I expected quite a few more Yes answers here. I think the answer is no... something inside me just said, "People will say Yes". There were only 4 'Yes' responses
Yes, when the researcher can't show a real-world security impact of the DoS. - Security Researcher/See Note Below
Are you kidding? The word denial denotes malicious effort. Availability is critical to business continuity. - IT Professional/No
The domain of InfoSec is to guard and defend against an attack on IT resources. Whether the upshot of an attack is a DOS", an unwarranted escalation of privilege, or the compromise of restricted information the fact of the matter stands. These conditions arose as the result of an Attack. It is the charge of InfoSec professionals to address these matters. - IT Professional/No
I think it would be folly to ignore DoS. It is like saying we should worry that the sun won't come up tomorrow. I see a DoS condition as something that is always possible, but often made less of a risk through measures like large enough servers or configs that deal with open sessions, etc. It is often brought up, but also often dismissed in pen-test reports or architecture planning. It's important if 2 people can exploit it less important if it takes an exotic attack or something so large, like a wall cracking under an elephant stampede. You're screwed anyway. - IT Professional/No
Apparently they are, until this day we're still tinkering with easy issues like XSS. Jeremiah Grossman was so excited about this this, he wrote a book! If you ask around any security consultant, they will tell you that DDoSing is "lame". I think they have that viewpoint simply because it is an issue we have yet to resolve, and cannot provide an effective solution because there is very little focus and contribution to that area. I think we have forgotten where hackers really decended from. Before compiling and launching exploits, there was DDoSing, something that would disrupt service and could work successfully the majority of the time. We forget that vulnerabilities and exploits like XSS can be easily prevented and administered by a simple update, but a DDoS attack takes a website offline, disabling the use of connecting to even the fix the issue. Ask Robert Hansen (RSnake) what he thinks about DDoSing. A friend of mine took his website offline within a few minutes and I went about reporting this to Mr. Hansen and he replied back calling me a script kiddie. As you can see, DDoSing is something that cannot be stopped even by seasoned professionals. - Security Researcher/No
The first one makes me ask the questions, "How do you define real-world impact?" and "Real-world Impact to who?". To many a browser crash is not a security issue (coming up) so is that a case where there isn't a real world impact? What if it affects small business owners who's browsers have had their homepage reset to a page with code that causes a crash? Is that a real world impact? Is it significant enough for people to look at? The next three were just interesting comments and the last one was included to demonstrate that some people answered this with only DDoS on their minds (see my first post in the series).
Question 4 - Should Availability Be Removed from CIA
I'd say 'you probably looked at the question and expected that giant chunk of green' but maybe you're one of the people who answered with something different. While it's obvious that 'Availability is Important' was the winner (193), I want to give a bit more of a breakdown around the remaining values:
- Availability Doesn't Matter - 5
- Only Client Availability Matters - 5
- Only Server Availability Matters - 12
- Who Cares? - 26
- Blank - 15
- See Notes Below - 23
The IT Professionals that said 'Availability Doesn't Matter' (2 people)... I'm glad I don't worth at their organizations. I actually thought that 'Only Server Availability Matters' might be higher than it is (more on this with Question 5).
Somewhat important, less so than C and I, typically not the sole preserve of the infosec function therefore responsibility less clear - Management/See Notes Below
A is IMO the most important these days, and the more we become interdependent on IT, the more importance A will have/get. - IS Professional/See Notes Below
Yes, I believe so. It should be addressed separately. - Security Researcher/See Notes Below
Availability is important to a degree. I do not believe that CIA means Conf. Integ. and Avail. are THE MOST IMPORTANT things...they are the three areas that security is most concerned with UNDERSTANDING and MANAGING. It is important to understand if availability isn't as important as confidentiality for your [company|agency|group] they are subjective areas of value, differing for every organization. - IT Professional/Avail. is Important
A gets IS in touch with operations and allows "us" to create a true partnership - IS Professional/Avail. is Important
Absolutely not. There is already a *HUGE* disconnect between Security and other IT disciplines because the Security community does not treat DoS with as much importance as others. - Management/Avail. is Important
Availability is just as important as the other two, although there are arguments regarding who is responsible for it. - IT Professional/Avail. is Important
Availability is one of the most important issues for business - so it's part of quality as well as whole security is. - Management/Avail is Important
These were some of the more interesting comments. I thought the contrast in these was rather impressive. We've got an individual in management telling us that availability is somewhat less important than confidentiality and integrity, while an IS professional is telling us the exact opposite. I realize it's only two responses but does this speak to a larger disconnect that might exist today? Then we see another interesting contrast, with a security researcher telling us that availability should be addressed separately and someone in management saying there's already enough of a disconnect between Security and the remaining IT disciplines. Have we stumbled across a major issue in information security today? How do we address this? Who's right and who's wrong... or is everyone right?
Well that's only the first 4 questions, however this post is already extremely long (and I've been writing for quite a while). I think I'm going to break it into a two-part post and do the second half tomorrow. This is a great spot for the split as it is the end of what I considered the "setup points" and tomorrow I can get into the questions that I really want to discuss deeper.