Skip to main content

Asymmetric denial of service - Content length

Description

The Content-Length field specifies the size of the transmitted form of data after the request header. In an attack, the Content-Length field contains a very high value, meaning the server will expect to receive a large amount of data. The header of the spoofed request is then validly terminated, then an attacker waits and sends another small piece of data before the connection termination timer expires. In this way, the connection keeps dangerously active.

Impact

  • Lead to exhauste all available server resources.
  • Use technique to exhaust all available server resources.
  • Exhaust the victim's network and hardware resources when requesting large amounts of data.

Recommendation

  • Set the header and message body to a maximum reasonable length.
  • Define a minimum incoming data rate, and drop those that are slower.
  • Set an absolute connection timeout.

Threat

Anonymous attacker with local access.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: L
  • Attack complexity: H
  • Privileges required: H
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:X/RC:X
  • Score:
    • Base: 2.9
    • Temporal: 2.8
  • Severity:
    • Base: Low
    • Temporal: Low

Score 4.0

Default score using CVSS 4.0 . It may change depending on the context of the src.

Base 4.0

  • Attack vector: L
  • Attack complexity: H
  • Attack Requirements: N
  • Privileges required: H
  • User interaction: A
  • Confidentiality (VC): L
  • Integrity (VI): L
  • Availability (VA): N
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit madurity: P

Result 4.0

  • Vector string: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
  • Score:
    • CVSS-BT: 0.3
  • Severity:
    • CVSS-BT: Low

Requirements

Fixes

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.