Does it make sense to consider a server software crash, as a DOS attack?












4















I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?






denial-of-service







share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    3 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    36 mins ago
















4















I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?






denial-of-service







share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    3 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    36 mins ago














4












4








4








I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?






denial-of-service







share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I've found a little vulnerability in a website running on a Node.js server.



It works by sending the server some crafted payload, which makes the server code throw an error, and due to lack of error handling - It crashes (until someone runs it again).



I'm not sure what is the appropriate name for this kind of attack.
I assume it's a DOS (Denial Of Service) attack because it makes the server Deny Serving its clients.
On the other hand, Until now, I've only heard of DOS attacks which works by flooding the server in some way (which isn't the case here).



So, is it correct to consider it as a DOS attack?
If the answer is no, so how should it be called?






denial-of-service




denial-of-service






share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









MatíasMatías

211




211




New contributor




Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Matías is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    3 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    36 mins ago



















  • If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

    – Mike Ounsworth
    3 hours ago













  • As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

    – slebetman
    36 mins ago

















If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

– Mike Ounsworth
3 hours ago







If an application is well-written then it won't have any crash-type DOS bugs and an attacker will have to resort to a full DDOS (which will always work if the attacker has a bigger firehose than the target). However if the target app has an easy-to-trigger crash, then I'm sure any attacker would rather send the single crafted packet and save themselves the $$ of running a DDOS network.

– Mike Ounsworth
3 hours ago















As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

– slebetman
36 mins ago





As long as it prevents users from using the service it is a DOS. I have worked on a website that was DOS attacked by Google and Bing simply because Drupal cannot handle the load (I wanted to say could not but I believe it still can't).

– slebetman
36 mins ago










2 Answers
2






active

oldest

votes


















6














Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






share|improve this answer































    2














    DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



    CVSS even has an example for you:




    Due to a flaw in the handler function for RPC commands, it is possible
    to manipulate data pointers within the Virtual Machine Executable
    (VMX) process. This vulnerability may allow a user in a Guest Virtual
    Machine to crash the VMX process resulting in a Denial of Service
    (DoS) on the host or potentially execute code on the host.
    [empasis mine]




    So, yes, a simple crash is a DoS.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      Matías is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202481%2fdoes-it-make-sense-to-consider-a-server-software-crash-as-a-dos-attack%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      6














      Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






      share|improve this answer




























        6














        Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






        share|improve this answer


























          6












          6








          6







          Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).






          share|improve this answer













          Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 4 hours ago









          DarkMatterDarkMatter

          90711




          90711

























              2














              DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



              CVSS even has an example for you:




              Due to a flaw in the handler function for RPC commands, it is possible
              to manipulate data pointers within the Virtual Machine Executable
              (VMX) process. This vulnerability may allow a user in a Guest Virtual
              Machine to crash the VMX process resulting in a Denial of Service
              (DoS) on the host or potentially execute code on the host.
              [empasis mine]




              So, yes, a simple crash is a DoS.






              share|improve this answer




























                2














                DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



                CVSS even has an example for you:




                Due to a flaw in the handler function for RPC commands, it is possible
                to manipulate data pointers within the Virtual Machine Executable
                (VMX) process. This vulnerability may allow a user in a Guest Virtual
                Machine to crash the VMX process resulting in a Denial of Service
                (DoS) on the host or potentially execute code on the host.
                [empasis mine]




                So, yes, a simple crash is a DoS.






                share|improve this answer


























                  2












                  2








                  2







                  DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



                  CVSS even has an example for you:




                  Due to a flaw in the handler function for RPC commands, it is possible
                  to manipulate data pointers within the Virtual Machine Executable
                  (VMX) process. This vulnerability may allow a user in a Guest Virtual
                  Machine to crash the VMX process resulting in a Denial of Service
                  (DoS) on the host or potentially execute code on the host.
                  [empasis mine]




                  So, yes, a simple crash is a DoS.






                  share|improve this answer













                  DDoS is characterised by floods, creating a DoS. But DoS can be caused by a broad range of triggers.



                  CVSS even has an example for you:




                  Due to a flaw in the handler function for RPC commands, it is possible
                  to manipulate data pointers within the Virtual Machine Executable
                  (VMX) process. This vulnerability may allow a user in a Guest Virtual
                  Machine to crash the VMX process resulting in a Denial of Service
                  (DoS) on the host or potentially execute code on the host.
                  [empasis mine]




                  So, yes, a simple crash is a DoS.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 4 hours ago









                  schroederschroeder

                  74.5k29163198




                  74.5k29163198






















                      Matías is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      Matías is a new contributor. Be nice, and check out our Code of Conduct.













                      Matías is a new contributor. Be nice, and check out our Code of Conduct.












                      Matías is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202481%2fdoes-it-make-sense-to-consider-a-server-software-crash-as-a-dos-attack%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Olav Thon

                      Image
                      Olav Thon Fødd 29. juni 1923 Ål Yrke forretningsdrivande Olav Thon på Commons Olav Thon (fødd 29. juni 1923) er ein norsk, stort sett sjølvlært forretningsmann, fødd i Ål i Hallingdal, som har gjort store pengar på særleg kjøp, bygging og utvikling av fast eigedom, mellom anna kjøpesentre, hotell og restaurantar, i både Noreg og somme andre land. Han vart Ridder av 1. klasse av St. Olavs Orden i 2003, og er som ivrig friluftsmann æresmedlem i Den Norske Turistforening etter å ha ytt store økonomiske bidrag til foreininga sine hytter og ruter i fjellet. Han er kjend for alltid å gå med ei karakteristisk strikkelue. Olav Thon i samtale med Trond Helleland på sentralbanksjefens årstale i februar 2016 I ung alder reiste Olav Thon til Newcastle for å lære seg engelsk, og han var seinare ei tid i Sveits, der han gjorde forretningar i import og eksport. Deretter tok han til å kjøpe faste eigedomar i Noreg med stor økonomisk suksess, verksemda voks snøgt og v
                      Read more

                      Waikiki

                      Image
                      Denne artikkelen kan ha godt av ein språkvask , som reinskar opp målføringa og/eller innfører same språkstilen overalt. Denne artikkelen kan ha godt av ei opprydding for å nå ein høgare standard og/eller for å verta i tråd med standardoppsettet. Sjå korleis du redigerer ei side og stilmanualen for hjelp. Waikiki Land   USA Stat Hawaii Stad Honolulu Wikimedia Commons: Waikiki Utsyn over Waikiki Waikīkī er ein bydel i Honolulu, sør på øya Oahu, som er ei av Hawaii-øyane. Waikīkīstranda er ein av dei meste berømte strendene i verda. Waikīkī strekkjer seg langs stillehavskysten og har ei rekkje velrenommerte hotell. Bydelen er Hawaii-turismens høyborg. På Waikīkī Beach står ei statue av den lokale sportsstjerna Duka Kahanamoku. Kjelder | Denne artikkelen bygger på «Waikiki» frå Wikipedia på bokmål, den 4. november 2018. Denne artikkelen manglar kjelder eller referansar . Hjelp Wikipedia med å finna truverdige kjelder
                      Read more

                      Hudsonelva

                      Image
                      Hudson elv Land   USA Område New York Sideelvar Mohawk Lengd 507 km Middelvassføring 606 m³/s Munning Upper New York Bay i Atlanterhavet Elvene Hudson og Mohawk med nedbørsområdet markert med gult. Wikimedia Commons: Hudson River Hudsonelva ( Hudson River ) mohikansk Muh-he-kun-ne-tuk ) er ei elv i USA. Ho renn hovudsakleg gjennom delstaten New York, men markerer også ein del av grensa mellom New York og New Jersey. Hudsonelva har namn etter Henry Hudson, ein engelskmann som utforska elva i 1609. Hudsonelva sett frå Bear Mountain Bridge. Kjelda til elva er Tear-of-the-Clouds-sjøen i Adirondackfjella. Ved Albany renn Mohawk-elva saman med henne, og deretter renn ho nesten rett sørover til ho munnar ut i Atlanterhavet mellom Manhattan i New York og New Jersey. Eriekanalen, som blei opna den 26 oktober 1825, bind saman Hudsonelva og Eriesjøen, slik at byane ved Dei store sjøane fekk vasstilgang til A
                      Read more