What is Denial of Service (DoS)?
Web services such as websites (HTTP GUIs) and web services (including HTTP APIs) are constructed such that they are scalable and able to concurrently serve multiple customers or clients at the same time typically in a request-response pattern. Some fundamental principles of securing these web services are service availability (ensuring that incoming requests can be serviced) and non-interference (ensuring that the actions of one client do not impact the use of the service by other users.
If one customer is able to deny the use of the service to other users, then the service is said to be susceptible to denial of service in that one customer can deny access to the service by others.
What causes Denial of Service (DoS)?
There are many possible causes for denial of service, often in combination, including:
- Failure by web service owner to provision sufficient resources to support normal service demand (resources could include network sockets, CPU, diskspace, memory or other factors)
- Logical or code error in the web service that causes some or all requests to consume excessive resources before a response can be served
- Excessive and unexpected spike in traffic/requests over predicted levels, either due to malicious volumetric requests, or site promotion/media mention, for example.
- Ability of a malicious attacker to make a single request that causes service failure - for example, by finding a Remote Code Execution (RCE) vulnerability and instructing the server to shutdown, or to wipe all data from its disk drives/primary storage -i.e. Denial of Service does not have to relate to volumetric/high volume request loads.
What is Distributed Denial of Service (DDoS)?
Distributed Denial of Service (DDos) is particular variety of Denial of Service (DoS) that indicates that the requests causing the service outage originate from multiple, distributed sources. Although legitimate traffic spikes can cause DDoS if there is a sudden spike in demand for a service (e.g. a TV channel streaming website during a World Cup or other high-demand event), typically DDoS is used to refer to deliberate and malicious attempts to cause service outage by a distributed attack.
Does AppCheck perform Distributed Denial of Service (DDoS) testing?
AppCheck performs practically all testing for a particular scan from a single IP address relating to a dedicated scan server - therefore it would never perform specifically a distributed denial of service.
Does AppCheck perform volumetric or other DoS testing?
AppCheck deliberately does not target scanned services and applications with volumetric attacks.
Can AppCheck cause a Denial of Service (DoS) condition or service outage by non-volumetric means?
AppCheck does not seek to exploit other (non-volumetric) methods of exploiting vulnerabilities that could cause service outages and lead to a denial of service to other users. However, it is possible for denial of service to be caused by a given intentionally-benign (non-malicious) web request made during service scanning if there is a serious flaw in the web service operation.
Additionally, the request rate/intensity of web requests made during scanning may be high enough to overwhelm servers with little resource provision. To understand why AppCheck uses a high request rate, please see our article at https://appcheck.zendesk.com/hc/en-us/articles/360022904274-Why-does-AppCheck-make-so-many-HTTP-request-to-my-site-or-domain-
The intensity of AppCheck scans is configurable in order to minimise this risk.
AppCheck scan agents will automatically "back off" scan rates if any service disruption is detected, in order to try and avoid denial of service.
Additionally, AppCheck scans can be manually paused by clients at any time if a DOS condition is experienced. Stopping the scan should allow the targeted service time to recover - and the scan can be reconfigured with a lower number of threads in order to reduce the scan intensity to a level the service can sustain (note that a scan must be restarted for changes to the configuration to take effect).
Does AppCheck detect Denial of Service (DoS) vulnerabilities?
AppCheck can detect Denial of Service (DoS) vulnerabilities such as SlowLoris, without actually exploiting them or causing a denial of service on the endpoint being scanned. Since no exploit is performed, such vulnerabilities are reported as "Probable" or "Suspected" vulnerabilities, since their presence cannot be absolutely confirmed without causing service disruption.
How can I ensure that AppCheck does not cause Denial of Service (DoS) during scanning?
We have an FAQ article on minimising the risk of automated scanning which may help provide some information: https://appcheck.zendesk.com/hc/en-us/articles/360023190733-Minimising-Risk-of-Web-Application-Scanning