10 posts tagged “denial-of-service”
2025
Cloudflare Project Galileo. I only just heard about this Cloudflare initiative, though it's been around for more than a decade:
If you are an organization working in human rights, civil society, journalism, or democracy, you can apply for Project Galileo to get free cyber security protection from Cloudflare.
It's effectively free denial-of-service protection for vulnerable targets in the civil rights public interest groups.
Last week they published Celebrating 11 years of Project Galileo’s global impact with some noteworthy numbers:
Journalists and news organizations experienced the highest volume of attacks, with over 97 billion requests blocked as potential threats across 315 different organizations. [...]
Cloudflare onboarded the Belarusian Investigative Center, an independent journalism organization, on September 27, 2024, while it was already under attack. A major application-layer DDoS attack followed on September 28, generating over 28 billion requests in a single day.
2024
A warning about tiktoken, BPE, and OpenAI models.
Tom MacWright warns that OpenAI's tiktoken Python library has a surprising performance profile: it's superlinear with the length of input, meaning someone could potentially denial-of-service you by sending you a 100,000 character string if you're passing that directly to tiktoken.encode().
There's an open issue about this (now over a year old), so for safety today it's best to truncate on characters before attempting to count or truncate using tiktoken.
2018
2017
The Mirai Botnet Was Part of a College Student Minecraft Scheme. Fascinating story about last year’s Mirai botnet, which was originally developed to help corner the Minecraft server market.
2009
Django security updates released. A potential denial of service vulnerability has been discovered in the regular expressions used by Django form library’s EmailField and URLField—a malicious input could trigger a pathological performance. Patches (and patched releases) for Django 1.1 and Django 1.0 have been published.
2008
DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming.
2007
Django security fix released. Django’s internationalisation system has a denial of service hole in it; you’re vulnerable if you are using the i18n middleware. Fixes have been made available for trunk, 0.96, 0.95 and 0.91.
2004
Defending web applications against dictionary attacks
Over at Reflective Surface, Ronaldo M. Ferraz discusses the usability of an authentication system that locks down an account for a certain period of time after three failed login attempts. Ronaldo sees this as a trade off between usability and security, but I see it more as an added security issue in that it allows malicious third parties to lock other user’s accounts armed only with their username.
[... 398 words]2003
Contribute hammering FTP servers?
We’re having a problem at work with Macromedia Contribute. We host sites for a number of local companies, and one of them wants to use Contribute to update its site. The problem is that whenever Contribute tries to connect to our FTP server, it opens up 30 simultaneous connections, effectively running a denial of service that prevents other clients from logging in during peak times. I’ve searched the ’net and haven’t found any references to this problem; does anyone know anything about the issue? We’re running ProFTPD 1.2.9 and the client is using Macromedia Contribute 2.
Fighting Filters and DDoS
Paul Graham’s essays on fighting spam are generally excellent; it was Paul who sparked the recent flurry of activity surrounding Bayesian statistical filters and inspired the creation of some of the best tools for fighting spam yet. Paul’s latest suggestion, Filters that fight back, seems to me to miss the mark in a big way. Paul suggests email servers should “follow” links in any email received. This would turn the tables on spam, as suddenly sending out a million spams would result in a million useless hits to the site being promoted, quickly brining it to its knees. It’s a great concept, until some malicious script kiddie realises that they’ve been handed a tool to run massive distributed denial-of-service attacks on any domain they care to target. Not to mention that such a feature would make many legitimate mass email tools prohibitively expensive to run.
[... 190 words]