denial-of-service | 易学教程

Which kind of webapps can realistically be affected by the floating bug?

阅读更多关于 Which kind of webapps can realistically be affected by the floating bug?

问题 There's an easy way to totally lock a lot of JVM: class runhang { public static void main(String[] args) { System.out.println("Test:"); double d = Double.parseDouble("2.2250738585072012e-308"); System.out.println("Value: " + d); } } or, to hang the compiler: class compilehang { public static void main(String[] args) { double d = 2.2250738585072012e-308; System.out.println("Value: " + d); } } as explained here: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

Best practices for detecting DOS (denial of service) attacks? [closed]

阅读更多关于 Best practices for detecting DOS (denial of service) attacks? [closed]

问题 I am looking for best practices for detecting and preventing DOS in the service implementation (not external network monitoring). The service handles queries for user, group and attribute information. What is your favorite source of information on dealing with DOS? 回答1: This is a technique I found very useful.. Prevent Denial of Service (DOS) attacks in your web application 回答2: Whatever you do against DoS-Attacks, think if what you do may actually increase the the load required to handle

How can I use PHP's various XML libraries to get DOM-like functionality and avoid DoS vulnerabilities, like Billion Laughs or Quadratic Blowup?

阅读更多关于 How can I use PHP's various XML libraries to get DOM-like functionality and avoid DoS vulnerabilities, like Billion Laughs or Quadratic Blowup?

I'm writing a web application that has an XML API in PHP, and I'm worried about three specific vulnerabilities, all related to inline DOCTYPE definitions: local file inclusion, quadratic entity blowup, and exponential entity blowup. I'd love to use PHP's (5.3) built in libraries, but I want to make sure I'm not susceptible to these. I found I can eliminate LFI with libxml_disable_entity_loader, but this doesn't help with inline ENTITY declarations, including entities that refer to other entities. The SimpleXML library (SimpleXMLElement, simplexml_load_string, etc) is great because it's a DOM

Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

阅读更多关于 Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

It is said that instead of adding all domains to CORS , one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publicly expose an API then for every domain that wants to make a call to that API I would need to be contacted to add that domain to the list of allowed domains. I'd like to make a conscious trade off decision between security implications and less work. The only security issues I see are DoS attacks and CSRF attacks. CSRF attacks can already be achieved with IMG elements and FORM elements. DoS attacks related to CORS can be

Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

阅读更多关于 Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

问题 It is said that instead of adding all domains to CORS, one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publicly expose an API then for every domain that wants to make a call to that API I would need to be contacted to add that domain to the list of allowed domains. I'd like to make a conscious trade off decision between security implications and less work. The only security issues I see are DoS attacks and CSRF attacks. CSRF

Most Robust way of reading a file or stream using Java (to prevent DoS attacks)

阅读更多关于 Most Robust way of reading a file or stream using Java (to prevent DoS attacks)

Currently I have the below code for reading an InputStream . I am storing the whole file into a StringBuilder variable and processing this string afterwards. public static String getContentFromInputStream(InputStream inputStream) // public static String getContentFromInputStream(InputStream inputStream, // int maxLineSize, int maxFileSize) { StringBuilder stringBuilder = new StringBuilder(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); String lineSeparator = System.getProperty("line.separator"); String fileLine; boolean firstLine = true; try { //

Most Robust way of reading a file or stream using Java (to prevent DoS attacks)

阅读更多关于 Most Robust way of reading a file or stream using Java (to prevent DoS attacks)

问题 Currently I have the below code for reading an InputStream . I am storing the whole file into a StringBuilder variable and processing this string afterwards. public static String getContentFromInputStream(InputStream inputStream) // public static String getContentFromInputStream(InputStream inputStream, // int maxLineSize, int maxFileSize) { StringBuilder stringBuilder = new StringBuilder(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); String

Protect yourself against Dos attacks

阅读更多关于 Protect yourself against Dos attacks

This might be something more suited for Serverfault, but many webdevelopers who come only here will probably benefit from possible answers to this question. The question is: How do you effectively protect yourself against Denial Of Service attacks against your webserver? I asked myself this after reading this article For those not familiar, here's what I remember about it: a DoS attack will attempt to occupy all your connections by repeatedly sending bogus headers to your servers. By doing so, your server will reach the limit of possible simultanious connections and as a result, normal users