Latest in Tomorrow

Image credit: NicoElNino via Getty Images

New DoS attack exploits algorithms to knock sites offline

The attack sends junk data to algorithms for processing.
307 Shares
Share
Tweet
Share
Save

Sponsored Links

NicoElNino via Getty Images

Distributed Denial of Service (DDoS) attacks have caused their share of online chaos in the past, from being used to target messaging service Telegram during the Hong Kong unrest to crippling emergency communication systems in the US. Now, researchers have described a new vulnerability which could affect sites all over the internet.

The exploit was detailed at the Black Hat cybersecurity conference in Las Vegas by Nathan Hauke and David Renardy security company Two Six Labs, as reported by Wired.

Rather than a traditional DDoS attack which overwhelms a server by sending thousands of junk traffic requests to it from hundreds of different computers until it fails, the new attack uses a related technique called Denial of Service (DoS). The DoS attack can originate from just one machine and targets the algorithms used by many sites for data processing.

The researchers found a common vulnerability across three sets of software, in which they could throw large amounts of data at algorithms which then try to process the data and crash out. This worked for PDF software, by uploading a single large PDF file which could crash a whole website, for virtual networking computers (VNCs) which could be filled with junk data until the servers crashed and for password strength indicating software developed by Dropbox which could be stalled when a user entered thousand-character passwords.

In each case, the attacks take advantage of the large amount of processing done by algorithms. If these algorithms are fed enough junk data, they can gum up a website and cause server outages.

The researchers say they want to bring awareness of this vulnerability to developers' attention, and they have created a tool called ACsploit which developers can use to generate the "worst-case inputs for algorithms" and test against them.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
307 Shares
Share
Tweet
Share
Save

Popular on Engadget

The Morning After: PewDiePie is taking a break from YouTube in 2020

The Morning After: PewDiePie is taking a break from YouTube in 2020

View
Researchers bypass airport and payment facial recognition systems using masks

Researchers bypass airport and payment facial recognition systems using masks

View
Visa warns that hackers are scraping card details from gas pumps

Visa warns that hackers are scraping card details from gas pumps

View
Former NASA engineer thwarts porch pirates again with 'Glitter Bomb 2.0'

Former NASA engineer thwarts porch pirates again with 'Glitter Bomb 2.0'

View
Google pauses Chrome update for Android after reports of app data loss

Google pauses Chrome update for Android after reports of app data loss

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr