Other (Out of Scope) Vulnerabilities                                       Chapter 12

            DoS/DDoS ` The Denial-of-Service Problem


            Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) are familiar strains of
            cyberattack to anyone who follows security news. Flooding a target with traffic
            indistinguishable from a legitimate surge of visitors remains a popular method for either
            taking down or crippling a web property, especially when combined with amplification
            attacks caused by hijacking other servers, spoofing connected services, or taking advantage
            of an internal performance flaw or bottleneck.

            In 2018, GitHub was hit by what was then the largest DDoS attack ever recorded (the
            record was broken just five days later), clocking in at a saturation rate of about 1.3 TBps.
            One reason the attackers were able to achieve such a high throughput was because they
            relied on commandeering unsecured Memcached database servers (Memcache is a general-
            purpose distributed memory caching system), where they could spoof a query packet
            meant to look like the target server asking for data from the memcache server. Then, the
            memcache server would batter the target server with data up to 50,000 times the size of the
            spoofed request. GitHub in particular has been repeatedly targeted, with this incident just
            the latest in a sustained campaign against the site.
            If you look at GitHub's bug bounty program, you'll notice they do call out DDoS attacks
            specificallybthat they don't allow them:

            Don't perform any attack that could harm the reliability/integrity of our services or data.
            DDoS/spam attacks are not allowed. (emphasis theirs)

            DoS/DDoS attacks often aren't a result of anything that the victim of the attacks did d they
            didn't miscode the application, or leave some critical network vector open. Defending
            against DDoS attacks requires an entire proactive security architecture, redistributing the
            load across different networks and throttling/isolating malicious sources of traffic.

            The exception is when a DoS/DDoS attack is more effective because it can leverage a security
            flaw that exists on the victim network. If, as a security researcher, you come across, for
            example, an unsecured NTP server that could be hijacked to amplify a DDoS attack, you
            should certainly report it as a vulnerability that could be used to threaten either you or
            another bystander's network.

                         You should not try to validate any vulnerabilities like this by leveraging
                         them for increased bot traffic, even if you think it falls below the threshold
                         of something that could damage the target's infrastructure. The fact that
                         DDoS prohibitions are so common is a sign of how seriously they're taken
                         by bounty program operators.




                                                    [ 188 ]