03 Apr, 2023

Denial of service (DoS) via websockets

Denial of Service (DoS) via WebSockets refers to a type of cyber attack that exploits vulnerabilities in the WebSocket protocol to flood a server or network with traffic, overwhelming its resources and making it unavailable to users. WebSocket is a communication protocol used by web applications to enable real-time data exchange between a client and a server. In a DoS attack via WebSockets, an attacker can send a large number of requests to a server through a WebSocket connection, causing the server to crash or become unavailable. This can result in disruption of services and loss of revenue for the affected organization.

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Example of vulnerable code on different programming languages:


in JavaScript:

				
					const socket = new WebSocket('wss://example.com');
socket.addEventListener('open', event => {
  while (true) {
    socket.send('DoS attack via WebSockets');
  }
});

				
			

 

In this example, the client opens a WebSocket connection to wss://example.com, and upon connection, it sends an infinite number of requests to the server, which could result in a DoS attack.

• in Python:

				
					import asyncio
import websockets

async def dos_attack(websocket, path):
    while True:
        await websocket.send('DoS attack via WebSockets')

start_server = websockets.serve(dos_attack, 'localhost', 8765)
asyncio.get_event_loop().run_until_complete(start_server)
asyncio.get_event_loop().run_forever()

				
			

 

In this example, the server listens on port 8765 and upon connection, sends an infinite number of responses to the client, which could lead to a DoS attack.

• in Java:

				
					import java.net.URI;
import java.net.URISyntaxException;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.java_websocket.client.WebSocketClient;
import org.java_websocket.handshake.ServerHandshake;

public class DosAttack extends WebSocketClient {

    public DosAttack(URI serverUri) {
        super(serverUri);
    }

    @Override
    public void onOpen(ServerHandshake handshakedata) {
        ScheduledExecutorService executorService = Executors.newSingleThreadScheduledExecutor();
        executorService.scheduleAtFixedRate(() -> send("DoS attack via WebSockets"), 0, 1, TimeUnit.MILLISECONDS);
    }

    @Override
    public void onMessage(String message) {
        System.out.println("Received message: " + message);
    }

    @Override
    public void onClose(int code, String reason, boolean remote) {
        System.out.println("Connection closed");
    }

    @Override
    public void onError(Exception ex) {
        System.out.println("Error occurred: " + ex.getMessage());
    }

    public static void main(String[] args) throws URISyntaxException {
        DosAttack client = new DosAttack(new URI("wss://example.com"));
        client.connect();
    }
}

				
			

 

In this example, the client opens a WebSocket connection to wss://example.com, and upon connection, it sends an infinite number of requests to the server, which could lead to a DoS attack.

Examples of exploitation Denial of service (DoS) via websockets

WebSocket Flood:

This is a simple attack that involves flooding a WebSocket server with a large number of connection requests. This can overload the server, causing it to crash or become unresponsive.

WebSocket Ping Pong:

This attack involves sending a large number of ping requests to a WebSocket server without waiting for the corresponding pong response. This can cause the server to become overloaded and unresponsive.

WebSocket Slowloris:

This attack involves sending a large number of incomplete HTTP requests to a WebSocket server. The server will wait for the request to complete before processing it, and if enough requests are sent, the server can become overloaded and unresponsive.

WebSocket SYN Flood:

This is a more sophisticated attack that involves exploiting the three-way handshake process used by WebSockets. The attacker sends a large number of SYN requests to the server, but never completes the handshake by sending the third ACK packet. This causes the server to wait for the ACK packet, eventually leading to a DoS.

WebSocket Fragmentation:

This attack involves sending fragmented WebSocket frames to the server. These frames are designed to be difficult to reassemble, and can cause the server to become overloaded and unresponsive.

Privilege escalation techniques for Denial of service (DoS) via websockets

Exploiting vulnerabilities in the websocket server software:

If the websocket server software is not properly patched or configured, attackers may be able to exploit vulnerabilities to gain elevated privileges. Once they have elevated privileges, they can launch a DoS attack against the server.

Compromising other systems on the network:

Attackers may attempt to compromise other systems on the network in order to gain access to the websocket server. Once they have access, they can use it to launch a DoS attack against the server.

Stealing credentials:

If the websocket server uses weak or easily guessable passwords, attackers may be able to steal them and use them to gain elevated privileges. This can allow them to launch a DoS attack against the server.

Social engineering:

Attackers may attempt to trick an authorized user of the websocket server into giving them access to the server. For example, they may send a phishing email that looks like it came from the server administrator and request the user’s login credentials. Once they have access, they can use it to launch a DoS attack against the server.

General methodology and checklist for Denial of service (DoS) via websockets

Methodology:

  1. Reconnaissance: Attackers will start by identifying the target application or service that uses websockets. They may use tools like Shodan or Nmap to scan for vulnerable websockets servers.

  2. Fingerprinting: Once the attackers have identified a target, they will attempt to determine the type and version of the websocket server software that is being used. This will help them to identify vulnerabilities that can be exploited.

  3. Exploitation: Attackers will attempt to exploit vulnerabilities in the websocket server software in order to gain elevated privileges or to overload the server. This can involve techniques like buffer overflows, SQL injection, or cross-site scripting (XSS).

  4. DoS attack: Once the attackers have gained access to the websocket server, they will launch a DoS attack. This can involve flooding the server with a large number of connection requests, sending large payloads, or exploiting the websocket protocol itself.

  5. Covering tracks: To avoid detection, attackers may attempt to cover their tracks by deleting logs or obscuring their IP address.

Checklist:

  1. Ensure that only authorized users can access the websocket server and that users are authenticated and authorized before being granted access.

  2. Regularly monitor network traffic for signs of suspicious activity, including large numbers of connection requests or unusually large payloads.

  3. Implement rate limiting to limit the number of connection requests that can be made to the websocket server in a given period of time.

  4. Limit the number of active sessions that can be established with the websocket server to prevent overload.

  5. Implement limits on the size of payloads that can be sent to the websocket server to prevent overload.

  6. Use firewalls, load balancers, and intrusion detection systems (IDS) to detect and prevent attacks.

  7. Keep websocket server software up to date with the latest security patches and updates.

  8. Train employees on the risks of DoS attacks via websockets and how to identify and report suspicious activity.

  9. Develop an incident response plan that outlines the steps to take in the event of a DoS attack via websockets.

Tools set for exploiting Denial of service (DoS) via websockets

Automated Tools:

  • SlowLoris: is a tool that can be used to launch a DoS attack against websockets servers. It works by opening multiple connections to the server and sending incomplete requests, which can tie up server resources and make the server unresponsive.

  • OWASP DOS HTTP POST Tool: this is an open-source tool developed by OWASP that can be used to launch DoS attacks against websockets servers. It sends a large number of POST requests to the server, which can cause the server to become unresponsive.

  • Xenotix WebSocket Exploit Framework: this is an exploit framework that can be used to test for DoS vulnerabilities in websockets servers. It includes a variety of modules and payloads that can be used to launch different types of attacks.

  • HULK: (HTTP Unbearable Load King) is a tool that can be used to launch DoS attacks against websockets servers. It works by sending a large number of GET requests to the server, which can cause the server to become overloaded and unresponsive.

  • ZMap: is a network scanner that can be used to identify websockets servers and test for DoS vulnerabilities. It can scan large networks quickly and efficiently.

Manual Tools:

  • Telnet: is a simple command-line tool that can be used to test websockets servers for DoS vulnerabilities. It can be used to open connections to the server and send messages manually.

  • nc (Netcat): is a versatile networking tool that can be used for testing websockets servers. It can be used to send messages to the server manually or to automate the process with scripts.

  • Wireshark: is a popular network protocol analyzer that can be used to analyze websockets traffic and identify potential DoS vulnerabilities.

  • Burp Suite: is a web application security testing tool that can be used to test for DoS vulnerabilities in websockets servers. It includes a variety of features and plugins that can be used to launch different types of attacks.

  • Fiddler: is a web debugging proxy that can be used to analyze websockets traffic and identify potential DoS vulnerabilities. It can be used to intercept and modify traffic between the client and server.

Browser Plugins:

  • WebSocket Monitor: is a browser plugin for Firefox that can be used to monitor websockets traffic and identify potential DoS vulnerabilities.

  • WebSocket Sniffer: is a browser plugin for Chrome that can be used to monitor websockets traffic and identify potential DoS vulnerabilities.

  • Packet Capture: is a browser plugin for Android that can be used to capture websockets traffic and analyze it for potential DoS vulnerabilities.

Average CVSS score of stack Denial of service (DoS) via websockets

The Common Vulnerability Scoring System (CVSS) is a framework used to score the severity of security vulnerabilities. The score ranges from 0 to 10, with 10 being the most severe.

The average CVSS score for Denial of Service (DoS) attacks via websockets can vary depending on the specific vulnerability and the impact it has on the target system. However, in general, DoS attacks via websockets tend to have a high severity score due to the potential impact of a successful attack.

Some factors that can impact the CVSS score for a DoS vulnerability include the ease of exploitation, the availability of mitigation measures, the impact on system availability and data integrity, and the potential for attackers to launch large-scale attacks.

It is important to note that CVSS scores are just one factor to consider when assessing the severity of a vulnerability, and it is essential to take into account the specific context and potential impact on the target system.

The Common Weakness Enumeration (CWE)

• CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) – Attackers can exhaust server resources by sending a large number of requests that require significant server-side processing or memory allocation.

• CWE-614: Sensitive Information in Websocket Traffic – Attackers can monitor websocket traffic and obtain sensitive information, such as authentication tokens or session cookies, that can be used to launch further attacks.

• CWE-434: Unrestricted Upload of File with Dangerous Type – Attackers can upload malicious files via websockets, which can consume server resources and cause a DoS.

• CWE-319: Cleartext Transmission of Sensitive Information – Attackers can intercept and read sensitive data transmitted over websockets, such as login credentials or personally identifiable information (PII).

• CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) – Attackers can exploit open redirects to send users to malicious sites or to overwhelm the server with redirect requests.

• CWE-330: Use of Insufficiently Random Values – Weak random number generation can be exploited to create a flood of websocket connections or requests that can overwhelm the server.

• CWE-494: Download of Code Without Integrity Check – Attackers can download and execute malicious code via websockets, which can cause a DoS or other types of attacks.

• CWE-732: Insecure Permission Assignment for Critical Resource – Insufficient permissions on server resources, such as files or directories, can be exploited to cause a DoS or other types of attacks.

• CWE-756: Missing Custom Error Page – Attackers can exploit the lack of custom error pages to cause a DoS or to obtain sensitive information about the server or application.

• CWE-754: Improper Check for Unusual or Exceptional Conditions – Failure to check for unusual or exceptional conditions can be exploited to cause a DoS or to obtain sensitive information about the server or application.

CVES related to Denial of service (DoS) via websockets

• CVE-2018-5504 – In some circumstances, the Traffic Management Microkernel (TMM) does not properly handle certain malformed Websockets requests/responses, which allows remote attackers to cause a denial-of-service (DoS) or possible remote code execution on the F5 BIG-IP system running versions 13.0.0 – 13.1.0.3 or 12.1.0 – 12.1.3.1.

Denial of service (DoS) via websockets exploits

  • Flood attacks – Attackers can flood a target websocket server with a large number of requests or connections, which can cause the server to crash or become unresponsive.

  • Connection exhaustion attacks – Attackers can exploit a vulnerability in the websocket server or client to create a large number of connections that consume server resources and cause a DoS.

  • Message size attacks – Attackers can send oversized or malformed messages via websockets, which can consume server resources and cause a DoS.

  • Ping/pong attacks – Attackers can use the ping/pong feature of websockets to flood a target server with ping requests, which can consume server resources and cause a DoS.

  • Websocket handshake attacks – Attackers can exploit vulnerabilities in the websocket handshake process to send a large number of handshake requests that consume server resources and cause a DoS.

  • Message fragmentation attacks – Attackers can send a large number of fragmented messages via websockets, which can consume server resources and cause a DoS.

  • Slowloris attacks – Attackers can use the slowloris technique to send a large number of low-rate requests to a target websocket server, which can consume server resources and cause a DoS.

  • Cross-site WebSocket hijacking attacks – Attackers can use cross-site scripting (XSS) or other techniques to hijack a user’s websocket connection and use it to launch a DoS attack against the target server.

  • WebSocket compression attacks – Attackers can exploit vulnerabilities in the websocket compression algorithm to send compressed messages that consume server resources and cause a DoS.

  • Websocket protocol version attacks – Attackers can exploit vulnerabilities in the websocket protocol version negotiation process to force a target server to consume resources or crash.

Practicing in test for Denial of service (DoS) via websockets

Create a test environment – Set up a test environment with a websocket server and client to simulate different DoS attack scenarios. This will allow you to practice testing in a safe and controlled environment.

Use automated testing tools – Use automated testing tools like DDoS attack simulators or websocket testing frameworks to simulate and detect DoS attacks.

Perform load testing – Use load testing tools to simulate a large number of websocket connections and messages to test the server’s performance and identify any potential bottlenecks or vulnerabilities.

Test for input validation – Test the websocket server for input validation to ensure that it can handle malformed or malicious messages without crashing or becoming unresponsive.

Test for rate limiting – Test the websocket server for rate limiting capabilities to prevent flood attacks and limit the impact of a DoS attack.

Test for websocket compression – Test the websocket server for compression vulnerabilities and ensure that it can handle compressed messages without consuming too many server resources.

Test for resource exhaustion – Test the websocket server for resource exhaustion vulnerabilities, such as connection or memory exhaustion, and ensure that it can handle large numbers of connections or messages without crashing.

Use browser plugins – Use browser plugins like Chrome DevTools or Firefox Developer Tools to inspect and analyze websocket traffic in real-time to detect any abnormalities or DoS attacks.

Collaborate with a security team – Collaborate with a security team to perform penetration testing and vulnerability assessments on the websocket server to identify any potential weaknesses or vulnerabilities.

Stay updated – Stay updated with the latest security vulnerabilities and patches related to websockets and regularly perform security testing to ensure that the websocket server is secure and resistant to DoS attacks.

For study Denial of service (DoS) via websockets

OWASP WebSockets Security Project – This project provides a comprehensive guide to secure websockets and includes information on common attacks and countermeasures.

RFC 6455 – The WebSocket Protocol – This is the official specification for the WebSocket protocol, which provides an in-depth understanding of the protocol’s design and operation.

Websocket Security Checklist – This is a comprehensive checklist for securing websockets that includes steps for securing the server, client, and network.

Practical WebSocket Security by Raj Singh – This book provides practical guidance on securing websockets, including examples of real-world attacks and how to defend against them.

WebSocket Testing – This guide provides an overview of testing websockets, including different types of tests and tools for testing websockets.

Denial of Service (DoS) Attacks – This resource provides an overview of Denial of Service (DoS) attacks, including the different types of attacks and how to defend against them.

WebSockets: From Zero to Hero – This video series provides an in-depth tutorial on websockets, including how to build a websocket server and client and how to test them for security vulnerabilities.

Burp Suite – This is a popular web application testing tool that includes support for testing websockets and identifying security vulnerabilities.

Wireshark – This is a network protocol analyzer that can be used to capture and analyze websocket traffic to identify potential security issues.

Security conferences – Attending security conferences like Black Hat, DEF CON, or OWASP AppSec can provide valuable insights and knowledge about Denial of Service (DoS) attacks via websockets and other security topics.

Books with review of Denial of service (DoS) via websockets

“Practical WebSocket Security” by Raj Singh – This book provides practical guidance on securing websockets, including examples of real-world attacks and how to defend against them.

“Securing Websockets” by Eiji Kitamura – This book provides an overview of websockets and their security implications, including common attacks and countermeasures.

“The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto – This book includes a chapter on websockets and how they can be used in attacks, as well as countermeasures to mitigate these attacks.

“Mastering Websocket” by Andrew Lombardi – This book provides an in-depth tutorial on websockets, including how to build a websocket server and client, as well as security best practices.

“WebSockets: From Zero to Hero” by Samer Buna – This book provides a comprehensive guide to websockets, including how to build and secure websocket applications.

“WebSockets for Real-Time Web Applications” by Stephen Blum – This book provides an introduction to websockets and their use in real-time web applications, as well as security best practices.

“WebSocket Essentials” by Varun Chopra and Arvind Ravulavaru – This book provides an introduction to websockets and their use in real-time applications, including security considerations and best practices.

“Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz – This book includes a chapter on websockets and how they can be used in attacks, as well as defensive techniques to protect against these attacks.

“Node.js 8 the Right Way: Practical, Server-Side JavaScript That Scales” by Jim R. Wilson – This book includes a chapter on websockets and how to build scalable, secure websocket applications.

“Hands-On Cybersecurity with Blockchain” by Rajneesh Gupta – This book includes a chapter on websockets and their security implications, including common attacks and countermeasures.

List of payloads Denial of service (DoS) via websockets

  • Large packets: The attacker can send a large packet or a series of large packets to the target server. This can cause the server to become overwhelmed and crash.

  • Invalid payloads: The attacker can send invalid payloads or malformed data to the server. This can cause the server to crash or become unresponsive.

  • Flood attacks: The attacker can send a large number of requests to the server, overwhelming it with traffic and causing it to crash or become unresponsive.

  • Ping-pong attacks: The attacker can send a continuous stream of ping messages to the server, causing it to allocate resources to processing these messages and eventually crashing.

  • Slowloris attacks: The attacker can send a large number of incomplete requests to the server, tying up resources and causing the server to become unresponsive.

How to be protected from Denial of service (DoS) via websockets

  1. Implement rate limiting: Limit the number of requests that can be made to the websocket server from a single IP address over a specific time period.

  2. Use a web application firewall (WAF): A WAF can help protect your websocket server from known attacks by inspecting incoming requests and blocking those that match known attack patterns.

  3. Monitor your websocket traffic: Monitor your websocket traffic to detect any unusual or suspicious activity that could indicate an attack.

  4. Regularly update your software and infrastructure: Make sure to keep your software and infrastructure up to date with the latest security patches and updates to prevent known vulnerabilities from being exploited.

  5. Implement authentication and authorization: Require users to authenticate and authorize themselves before being allowed to connect to the websocket server.

  6. Use secure coding practices: Implement secure coding practices to prevent vulnerabilities in your websocket application code.

  7. Implement encryption: Use encryption to protect the confidentiality and integrity of your websocket traffic, so attackers can’t eavesdrop on or modify your traffic.

  8. Limit the number of connections: Limit the number of connections allowed to the websocket server to prevent resource exhaustion attacks.

Conclusion

Denial of Service (DoS) attacks via websockets can be a serious threat to the security and availability of web applications that use them. Websockets provide a full-duplex communication channel between the client and server, which can be exploited to overwhelm the server with excessive traffic, causing it to become unresponsive or crash.

To prevent these attacks, it is important to follow best practices for securing websockets, including implementing rate limiting, using a web application firewall (WAF), monitoring websocket traffic, regularly updating software and infrastructure, implementing authentication and authorization, using secure coding practices, implementing encryption, and limiting the number of connections.

Other Services

Ready to secure?

Let's get in touch