Latest in Tomorrow

Image credit:

New DoS attack exploits algorithms to knock sites offline

The attack sends junk data to algorithms for processing.
1 Shares
Share
Tweet
Share

Sponsored Links

NicoElNino via Getty Images

Distributed Denial of Service (DDoS) attacks have caused their share of online chaos in the past, from being used to target messaging service Telegram during the Hong Kong unrest to crippling emergency communication systems in the US. Now, researchers have described a new vulnerability which could affect sites all over the internet.

The exploit was detailed at the Black Hat cybersecurity conference in Las Vegas by Nathan Hauke and David Renardy security company Two Six Labs, as reported by Wired.

Rather than a traditional DDoS attack which overwhelms a server by sending thousands of junk traffic requests to it from hundreds of different computers until it fails, the new attack uses a related technique called Denial of Service (DoS). The DoS attack can originate from just one machine and targets the algorithms used by many sites for data processing.

The researchers found a common vulnerability across three sets of software, in which they could throw large amounts of data at algorithms which then try to process the data and crash out. This worked for PDF software, by uploading a single large PDF file which could crash a whole website, for virtual networking computers (VNCs) which could be filled with junk data until the servers crashed and for password strength indicating software developed by Dropbox which could be stalled when a user entered thousand-character passwords.

In each case, the attacks take advantage of the large amount of processing done by algorithms. If these algorithms are fed enough junk data, they can gum up a website and cause server outages.

The researchers say they want to bring awareness of this vulnerability to developers' attention, and they have created a tool called ACsploit which developers can use to generate the "worst-case inputs for algorithms" and test against them.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1 Shares
Share
Tweet
Share

Popular on Engadget

Engadget's 2020 Back-to-School Guide

Engadget's 2020 Back-to-School Guide

View
Toshiba officially quits the laptop business

Toshiba officially quits the laptop business

View
Microsoft's Surface Duo may launch with AT&T

Microsoft's Surface Duo may launch with AT&T

View
Our readers get real about their issues with the AirPods Pro

Our readers get real about their issues with the AirPods Pro

View
Watch AI-controlled virtual fighters take on an Air Force pilot August 18th

Watch AI-controlled virtual fighters take on an Air Force pilot August 18th

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr