Issuing very slooowwww HTTP POST connections results in major denial-of-service attack on Web-based servers and can build "agentless" botnet.
A flaw in the HTTP protocol leaves the door open for attackers to wage a new form of distributed denial-of-service (DDoS) attack that floods Web servers with very slow HTTP "POST" traffic.
Researchers next week at the OWASP 2010 Application Security Conference will demonstrate the new attack, showing how online gaming could be used as a way to recruit bots in an "agentless" botnet that executes this slow HTTP POST DDoS attack. The bot does the bidding of the botnet without getting infected with bot malware.
Researcher Wong Onn Chee, who first discovered the attack in 2009 with a team of researchers in Singapore, says HTTP is "broken" and leaves all Web-based servers or systems with a Web interface vulnerable to this form of attack. "We believe that the fix is in the actual protocol as it is broken by design and affects everyone globally and anything using a Web application. This talk is very sensitive and should be highlighted for U.S. critical infrastructure," Onn Chee says of his upcoming presentation. "If it has a Web interface, we can knock it down [with this attack]: think SSL VPN and other critical systems accessed with a Web browser that you need to connect to by posting information."
He and Tom Brennan, a security researcher with Proactive Risk, at OWASP will present the research on the attack and solicit input on how to mitigate it.