DoS of Destruction | A Hacker Crime Story

SAFEšŸ˜µ
5 min readJul 21, 2023

--

Technology is great this days.

I went to the doctor, and he installed in my hands this IoT device that measures things in my blood, and I told him that I am alright. Now I donā€™t have to worry too much about my disease.

What I did not know is that this device uses APIs and cloud technology to transfer data from my body to the doctor, me, and thousands of other patients. So it works in the following way: firstly, it measures my blood data using sensors, then it sends this data using an API to a cloud server, then the cloud server does some processing, and then it sends the data to the Doctorā€™s device.

The cloud is basically a computer (server) in another region that saves and serves the data when needed, so what would happen if someone was able to stop this computer from working? And more importantly, is it even possible to stop a remote computer?

DOS (Denial of Service) attacks are capable of that; surprisingly, this attack specifically is well ignored by most companies. From my experience in bug bounty, many programs have a hardcoded rule not to test for DOS. Simply because they donā€™t want their service to go down. What is more interesting is that DOS is mostly a high-severity issue; imagine that most companies are ignoring a high-severity attack!

What makes it much more funny is that DOS attacks are relatively easy to find and exploit. Furthermore, most people donā€™t really understand DOS attacks. They might know one or two DOS attacks specifically, like the SYN flood attack, which I donā€™t remember having used on a real target, and I donā€™t think I will use it in the future. and DDoS, which is a pretty general category by itself.

So allow me to introduce you to DOS.

DOS is taking down a service by any means. This includes going to the cloud computer and cutting down its electricity cables with hands. There are accidental DOS attacks, like when a natural disaster happens and takes down services accidentally, but businesses should have a disaster recovery plan, but they mostly ignore it because ā€œdisasters never happen.ā€ This plan mostly includes backups, how to save peopleā€™s lives, and so on.

As I have said before, XSS is like COVID-19, and remote DOS is like a nuclear bomb; it will only bring destruction, which is why businesses will avoid testing for it and why it exists a lot.

Returning to our blood measuring service, which runs on a cloud server, as we are the blackhat right now, our mission is to stop this service from running because we hate people who measure their blood stuff, as we are a group of hackers who have deep dumb thoughts.

How to take down this service?

Computers have many types of limited resources, like CPU, memory, storage, and other stuff. Also, errors can easily happen, and programs logic can sometimes make the service unavailable.

For instance, if the cloud computer is taking the blood data and doing calculations and drawing graphs, which require CPU power, a hacker, after intercepting the http traffic of the IoT device from the mobile application by burp suite, can see all the data sent and received from the cloud.

So if the attacker sees an attribute that requires the server to generate a blood image with a size of 500x500 pixels, if those values were changeable and changed to 50000x50000 pixels, the server might generate the image in few minutes as it will require more processing. Sending this request repeatedly will eventually result taking down the service.

Furthermore, if the server blocks the IP of the attacker, he can download a proxy list from Github, which can have over 10,000 proxy IP addresses, then run the attack from all over the world, which is basically a DDoS attack, taking down the server.

Suppose that the blood data is sent using a zip file format, then an attacker can use a zip bomb attack, which is when a zip file has a size of like 10MB and when it is unzipped in the server it takes over a terabyte of storage. This can exhaust all of the CPU, memory, and storage.

Another attack based on JavaScript on the server side is the prototype pollution vulnerability, sending the following payload: {ā€œ__proto__.toStringā€:ā€ā€} to a vulnerable service can take it down as it will overwrite the ā€œtoStringā€ function in the server, which is used a lot and will require the system admin to reset the service.

Handling data types can be tricky. I remember one bug that I found in Twitter where I could make all my followers unable to see any tweets. You can refer to it here. https://www.youtube.com/watch?v=P5hNJ2JJvsA

This bug seemed to exist because Twitter couldnā€™t resolve a URL that had an invalid character on the client side and returned an error. And there are ton of unicode characters, and they are too many, and sometimes they can cause unexcepected errors.

Another thing is the flooding attack. By putting a lot of posts or writing a huge number of characters, if those characters are being processed every time the page is loading, then anyone who sees those characters will have to wait longer for the page to load. Simple as that. But as this attack is too simple, it might be treated as of low severity even if the impact is too great.

I remember one time that I could bring down a service as the firewall blocked me, so I could make the firewall block anyone, but they ignored my report and said it was designed like that. So when something is too simple, bug bounty programs might think that it is okay to leave it like this; well, it is their company, not mine anyway.

There are lots of DOS attack types and scenarios, more than we will ever imagine, as anything that is capable of taking down a service is a DoS attack. There are also cache deception attacks that can be used for DoS, pixel flood attacks, which are tiny images that can be uploaded to takedown a whole server, which affected Hackerone back in the days, or simply by logging in too many times on another userā€™s account until they get blocked from logging in. Always make sure that you have the right to test for DOS, as it is rarely requested, and try to focus on issues with higher impact.

Did you know that the National Health Service in the UK, the NHS 111 service, has been affected by a ransomware attack, which caused delays in the ambulance service in 2022?

Thank you for reading!

You might get in touch with me in Twitter @0x21SAFE and follow me in Medium @SAFEšŸ˜µ

--

--

SAFEšŸ˜µ
SAFEšŸ˜µ

Written by SAFEšŸ˜µ

Sharing cyber security knowledge through fictional stories. Security Researcher and Bug Bounty Hunter. Twitter: https://twitter.com/0x21SAFE

Responses (1)