HTTP Time Bandit
Thursday, November 21 • 3:00 pm - 3:50 pm
While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack.
We will discuss a tool created to identify weaknesses in the web application by submitting a series of regular requests to it. With some refinement and data normalizations performed on the gathered data,
and then performing more testing based on the latter, it is possible to pinpoint the single most (CPU or DB) resource-consuming page of the application. Armed with this information, it is possible to perform more efficient DOS/DDOS attacks with very simple tools.
The presentation will be accompanied by demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researchers to play with.
Introduction
Definition of the method
Classical DOS/DDOS methods
DDOS-ing blindly
Somewhat smarter bots
HTTP server transfer(response) time's correlation with the load
Method of detection of critical resource
Case studies
Refinements to the method
Data normalization
Other tricks and techniques
Additional stage of testing that looks more like an attack.
Measurement of service degradation while doing hard test.
Narrowing down the choice
Usage
The Good
Find potential CPU/DB hogs in my web apps
The Bad
Automated iterative analyzer attacker
The Ugly
Probably should not be spelled out:)
and Tigran Gevorgyan