HTTP Time Bandit: Identifying and Exploiting Web Application Performance Bottlenecks

Explore a comprehensive analysis of web application performance bottlenecks and potential vulnerabilities in this OWASP Foundation conference talk. Learn about a tool designed to identify resource-consuming pages through systematic testing and data normalization. Discover how this information can be leveraged for more efficient DOS/DDOS attacks using simple tools. Gain insights into the proposed method for detecting critical resources, statistical data normalization techniques, and the attack-like stage of testing. Examine the impact of commercial protection services and Apache configurations on server performance. Witness live demonstrations of the tool in action on various targets and learn about its availability for further research.

Intro
Classic Application Layer DOS/DDOS
The Proposed Method Method of detection of the critical resource • Spider over the web site and collect transfer times for each resource • Calculate the average speed and distribution of transfers Identify the resources that have slower average transfer times
Using Statistics to Normalize the Data
Attack Like Stage of Testing Measurement of service degradation while doing a hard test for narrowing down the choice of links
Commercial Protection Services . Few players using limiters for
Playing with Apache Configs Baseline, no protection • 1 client running 10x parallel requests of the most expensive resource • 3% CPU on the client machine Server: i7, 4 core, 8 gb • 98% CPU utilization on the server
mod_qos Implements control mechanisms to provide different priority to requests and control server access based on available resources 7
Conflicts with Slow* Attack Protection Slow* attack mitigation is an addition • mod_evasive could not protect from these There is no conflict (good news)