Skip to main content

Asymmetric denial of service - Content length

Description

The Content-Length field specifies the size of the transmitted form of data after the request header. In an attack, the Content-Length field contains a very high value, meaning the server will expect to receive a large amount of data. The header of the spoofed request is then validly terminated, then an attacker waits and sends another small piece of data before the connection termination timer expires. In this way, the connection keeps dangerously active.

Impact

  • Lead to exhauste all available server resources.
  • Use technique to exhaust all available server resources.
  • Exhaust the victim's network and hardware resources when requesting large amounts of data.

Recommendation

  • Set the header and message body to a maximum reasonable length.
  • Define a minimum incoming data rate, and drop those that are slower.
  • Set an absolute connection timeout.

Threat

Anonymous attacker with local access.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: L
  • Attack complexity: H
  • Privileges required: H
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:X/RC:X
  • Score:
    • Base: 2.9
    • Temporal: 2.8
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The http headers of the application have a reasonable content length limit and a timeout limit set

GET HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Content-Length: 3000
Request-Timeout: timeout-value
timeout-value: 1000

Non compliant code

Tha application has an http header poorly configured

GET HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
content-length: 100000

Requirements