CAPEC-469 Detail

CAPEC-469

Name

HTTP DoS

Typical Severity

Low

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

Informations CAPEC

Prerequisites

HTTP protocol is usedWeb server used is vulnerable to denial of service via HTTP flooding

Resources Required

Ability to issues hundreds of HTTP requests

Mitigations

Configuration: Configure web server software to limit the waiting period on opened HTTP sessions
Design: Use load balancing mechanisms

Related Weaknesses

CWE-ID	Weakness Name
CWE-770	Allocation of Resources Without Limits or Throttling The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
CWE-772	Missing Release of Resource after Effective Lifetime The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

References

REF-406

Slowris HTTP DoS
Robert Hansen.
http://ha.ckers.org/blog/20090617/slowloris-http-dos/

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Taxonomy_Mappings
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Mitigations
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Taxonomy_Mappings
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Taxonomy_Mappings