Home > Security > Denial of Service the Series: Part 2 – Survey Responses (2/2)

Denial of Service the Series: Part 2 – Survey Responses (2/2)

February 18th, 2009 Leave a comment Go to comments

Yesterday I stopped halfway through and said I'd continue with the responses today. So tonight I'm going to look at the responses to:

  • Does Web 2.0 Make Availability More Important?
  • Are Denial of Service and Availability Interchangeable?
  • A Browser Crash is...?
  • A Firewall Denial of Service is...?
  • A Web Server Crash is...?

These are the questions that drew the responses that I was really interested in... so let's jump right in.

Question 5 - Does Web 2.0 Make Availability More Important?

does-web-20-make-availability-more-important

With this one here, I was rather impressed by the splits, overall we had 89 'Yes' responses to78 'No's. Our biggest group (IT Professional) saw 34 to 20 in favour of 'Yes', while the second biggest group (Security researcher) was an even split of 26 to 26. Perhaps the most surprising was IS Professional with 16 to 10 in favour of 'No'. Going into this survey if I had to pick one question that I thought would be clear cut, it would have been this one. I thought that everyone would say yes, that obviously isn't the case. So what did people have to say about this question?

If anything Web 2.0 has shown how little people care about availability. - Security Researcher/No

Web 2.0 (Web 'Uh-oh') actually opens up an entirely different set of security issues... - Security Researcher/No

There are just more people pissed off about it. - Developer/No

Availability is an issue for COBOL apps written in the 1960s.  Mission critical is mission critical.  Platform is irrelevant. - IS Professional/No

It really shouldn't it should have been just as important 10 years ago. I think the big difference is rather than 10,000 web users on a site 10 years ago, today there may be 1,0,000! Web 2.0, to me, signifies a big uptake in people casually using those tools. This makes A seem important as it really affects revenues and perceptions.  But should it have been less important? I guess that's a paradigm difference amongst people, but I think it should always have been important. - IT Professional/No

The purpose, not the technology dictate when availability is more important. - Management/No

As you can see, I've only selected comments where the commentor selected 'No' as their answer. So it seems to be that it's not, 'more important' but should be considered 'as important', at least to some people. That's complete valid... just not how I looked at it. I had assumed more people... more importance. The developers comment is interesting, "There are just more people pissed off about it". That follows the logic that I had used in my assumptions, yet they answered no. I guess that means the question comes down to "more important to who"? The business, the user or both? I'd say both. If I can access the service, I'll be happy. If I'm happy I'll most likely be retained as a customer. If I stick around, I'll probably buy more and the business will be happy.

The remaining comments either passed off 'Web 2.0' as a horrid buzz word or revolved around the concept I just mentioned, more people and more business make Web 2.0 more important.

Question 6 - Are Denial of Service and Availability Interchangeable

are-denial-of-service-and-availability-interchangeable

A lot of people said No to this one and then proceeded to inform me that Denial of Service affects Availability, I guess they didn't see that drop down question. If I were to cast my vote, you'd find me in the 'DoS affects Avail.' red grouping, but a lot of people who said 'No' (and there were 103 of them) seemed to think I was leaning towards yes simply by asking the question. The numbers across the board for this one were: No - 103, Yes - 37, DoS affects Avail. - 68, and Sometimes - 51. Some people did offer up interesting reasoning for their opinions.

Used loosely, sure.  If I am under a DDoS attack, I probably don't have great availability.  If all my boxes fall over at the same time due to a power outage, I've also effectively eliminated my ability to provide service. - Security Researcher/See Notes Below

Denial of service does not have to affect availability. For instance causing a redirect loop in a website does in fact rely on the webserver being available. - IT Professional/No

That's tough. I think Availability encompasses all DoS, but Availability is more than just DoS conditions and attacks.  If a netadmin borks a router config and denies a segment of the network service from another segment, that is not a security concern but rather a stability issue. However, it still is about Availability as it pertains to the IT infrastructure teams.  (Of course, what if it was a purposeful misconfig...?) - IT Professional/Sometimes

In the end, availability is the key component.  DOS is a type or characteristic of a method use to affect availability.  Businesses only care about overall availability. - IS Professional/Yes

When there is no avail. it doesn't mean that it's DoS, but when there's DoS it means that there's no Avail. - IT Professional/See Notes Below

For these next questions, I'm going to cover all three graphs first.

Question 7 - A Browser Crash is a...?

a-browser-crash-is

This one went:

  • Stability Issue - 99
  • Security Issue - 15
  • Both - 138
  • Neither - 14

Question 8 - A Firewall Denial of Service is a...?

a-firewall-denial-of-service-is

And the numbers are:

  • Stability Issue - 12
  • Security Issue - 99
  • Both - 139
  • Neither - 14

Question 9 - A Web Server Crash is a...?

a-web-server-crash-is

May I have the envelope please:

  • Stability Issue - 51
  • Security Issue - 34
  • Both - 177
  • Neither - 5

Quotes related to these last three:

For the last three questions, a browser or web server crash is only a security issue in certain scenarios.  Each of the scenarios must be checked.  They could be one or several of the following conditions that lead to one or multiple specific security issue(s): 1) Path traversal/exploration (sometimes DoS, sometimes Information Leakage, sometimes both, sometimes more) 2) Memory Access Violation (Write) - definitely/always a security issue that can cause a DoS and/or remote execution and/or more 3) Memory Access Violation (Read) - varies by type 4) NULL pointer dereference - varies by type 5) Divide by zero (often DoS-only, but not always)  A browser/server crash in a lab or trusted environment (especially done on purpose or under the auspices of SQA) is not a security issue.  A browser/server crash in a production environment is often both a stability and security issue.  Firewalls, clients, servers, etc - are basically treated similarly except they do have different kinds of bugs and vulnerabilities - Security Researcher/Neither/Neither/Neither

Web Server Crash = If not from DOS Attack - IS Professional/Stability Issue

Browser crashes are not a security issue unless they can be leveraged for exploitation. Chances are if you can continuously DoS a browser, you have MITM or some other over the system already - Security Researcher/Stability Issue

Where you say "stability" I would say "reliability".  The misbehaviour of a piece of software may indicate there are other lurking defects that may compromise Confidentiality or Integrity, in addition to the obvious Availability defect.  There would be fewer browser crashes discovered if web page authors checked their web pages with the tool at http://validator.w3.org.  The remaining browser crashes would be from malevolent web authors and users would not view a browser crash as benign or expected - Developer/Both/Both/Both

Application level DoS is underestimated. I like this survey as it addresses this problem. A distinction between DoS target layers would have been nice though - IT Professional/Security Issue/Security Issue/Security Issue

I wanted to group these last three because I found them rather interesting. One of the more interesting numbers is the mirroring done by stability and security between  a browser crash and a firewall DoS. I was rather surprised by this for a couple of reasons. The first being the number of people who said that Web 2.0 makes availability more important and the number of people that said Denial of Service is a security issue... then a web browser crashing suddenly becomes a stability issue. I wonder how those people would respond if I told them that it was the same specially crafted HTTP response that caused both. My goal  here was to mix up the use of crash and denial of service and see if changing the word played into people's opinions. Even though the numbers were closer on the web server crash, I think it's still safe to say that the use of the word crash vs denial of service does affect people's opinions of whether or not it is a security issue. Any thoughts on that?

While 'Both' reigned supreme across the board for these three questions, I didn't expect that on both the browser and the firewall it would pick up only 50% of the vote.  In the end, I'd wanted to attempt to reach an agreed upon point as to when something is a Denial of Service... to remove ths subjectiveness and make it a little more objective. I don't know that it's possible to do that after seeing these responses, but I'll try to come up with a majority concensus based on these responses and put that forward as an objective opinion of what a Denial of Service is in a future post.

For now, I"ll leave you with some of the final comments from the survey:

Denial of service is less of a risk to major players as internet crime is moving more towards profit driven models.  You'll only see it when a bot master gets pissed off, for instance, against snti-spam orgs or governments, like this russia/georgia bullshit. - Security Researcher

PCI:DSS has done much to bring security into the general populace, but it has also accelerated the thinking that DoS/Availability is not a security issue.  People need to understand the scope of PCI:DSS - to protect card holder data.  I believe that the PCI:DSS will bring DoS/Availability back into the standard once they have achieved their goal of global adoption.  As they evolve their security thinking, they will understand where DoS does put card holder data at risk (as you've alluded to above with DoS on firewalls and other security tools) - Management

Frankly, one of the largest areas of conflict between security personnel and normal IT personnel is with scope creep related to Availability.  A huge percentage of what an entire infrastructure department does is about availability - data center, box clustering/load balancing, config management, etc.  It often seems to them (and I'm not sure this isn't the case) that security pros/companies pushing into availability isn't just a way to expand their scope/power/money.   Now, there are some parts of availability that are best kept with security because of synergy - bad inputs that crash your app versus bad inputs that show SQL data are the same technically, so splitting them isn't that useful.  But the security professional's model of availability needs to be restricted to "stopping naughtiness."  Firewall-blocking a SYN flood,  cleansing application inputs, and preventing theft are good.  Getting in my business about how much AC I have in my data center, my load balancing scheme, my configuration management system, or my uptime SLA is not.  A browser crash certainly is not.  In IT, lots of things have implications on other aspects of systems.  So sure, there may be security implications in our config management system, for instance.  But all too often security tries to consider these other areas, which are all huge disciplines unto themselves and have a lot more appropriate and specifically trained people to handle them, "under security."  - Management

DoS and Availability do in certain circles go hand in hand and are very important to security professionals.  We can provide CIA however without providing the availability or the protection against DoS, we are not providing the full product.  Availability to me, a security professional, is key. - IT Professional

I'm surprised by this topic, but I think it's a great one. I wouldn't be surprised to see every sort of answer possible, given by respected security experts.  As far as the crashes above, they may indicate security issues, but I would certainly start those incidents with the stability/infrastructure teams first. - IT Professional

Denial of Service, should not be viewed as only an attack vector. Management can Deny you the service as a planned DoS due to authorization level. Equipment failure or incorrect settings or programming can cause DoS, unplanned Dos. You can provide the service and not have enough bandwidth or power to service a large group of requests and cause DoS. - IT Professional

I know, there were lots of quotes but I think a lot of other people summed it up way better than I could have.

Categories: Security Tags: ,

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. No comments yet.
  1. No trackbacks yet.