EXPERT RESPONSE
Billy Hoffman, a lead researcher in SPI Labs and an Ajax expert, is the perfect person to answer this question. So his answer is below:
"If you want to cause a denial of service (DoS) with a traffic flood, JavaScript can do it several ways. XmlHttpRequest (the workhorse of Ajax) can do it, but it can only talk to the domain it comes from. Thus, I could make a botnet of MySpace users but I could only attack MySpace with it if I used it.
I would argue the way Ajax applications can make you more open to a DoS is from all the open Web services and Ajax endpoints. Because you can directly call parts of the control logic of the program, you can do more damage then just blindly requesting files. A flood of traffic to an Ajax endpoint is probably worse than a traffic flood against a random page because each time you contact that Web service the server has some computation to do. Furthermore, responses from Ajax endpoints are not typically cached by Squid or any other 'Web site accelerator.'
Another DoS vector I see with Ajax applications is calling the Web services out of order. This would vary from application to application, but by looking at the JavaScript code that's pushed to the client, I can see in what order and how often Web services are contacted. In essence, this blueprint of how the app works gives an attacker the blueprint of how to break it. Some Web services may allocate resources where another one cleans them up. An attacker simply never calls the clean up functions. Even if the code fails gracefully, it is extremely expensive for a program to generate an Exception, even if it gets caught.
A traffic flooding DoS is like throwing millions of small punches hoping you take an opponent down. A control logic DoS is like cutting open an opponent's head and punching them a few times in the brain."
And here's my answer:
I also tend to see sloppy implementation of Ajax inadvertently causing DoS attacks. For example, I know of a company that decided to implement some Ajax intelligence technology into their search bar on their Web site. What they did not think about was that doing this multiplied their traffic by eight times. For every one search query going to their application it now was broken down to each letter being a single hit. So it ended up crashing their bandwidth.
More information:
Billy Hoffman is a lead researcher in the SPI Labs Research and Development group. He is an oft quoted expert on AJAX security and is a frequent speaker at conferences on the topic. Hoffman is currently co-authoring a book on Ajax security for Addison-Wesley.
|
