Simon Willison's Weblog: denial-of-service

Cloudflare Project Galileo

2025-06-16T19:13:48+00:00

I only just heard about this Cloudflare initiative, though it's been around for more than a decade:

If you are an organization working in human rights, civil society, journalism, or democracy, you can apply for Project Galileo to get free cyber security protection from Cloudflare.

It's effectively free denial-of-service protection for vulnerable targets in the civil rights public interest groups.

Last week they published Celebrating 11 years of Project Galileo’s global impact with some noteworthy numbers:

Journalists and news organizations experienced the highest volume of attacks, with over 97 billion requests blocked as potential threats across 315 different organizations. [...]

Cloudflare onboarded the Belarusian Investigative Center, an independent journalism organization, on September 27, 2024, while it was already under attack. A major application-layer DDoS attack followed on September 28, generating over 28 billion requests in a single day.

Tags: denial-of-service, journalism, security, cloudflare

A warning about tiktoken, BPE, and OpenAI models

2024-11-21T06:13:51+00:00

A warning about tiktoken, BPE, and OpenAI models

Tom MacWright warns that OpenAI's tiktoken Python library has a surprising performance profile: it's superlinear with the length of input, meaning someone could potentially denial-of-service you by sending you a 100,000 character string if you're passing that directly to tiktoken.encode().

There's an open issue about this (now over a year old), so for safety today it's best to truncate on characters before attempting to count or truncate using tiktoken.

Tags: denial-of-service, python, security, tom-macwright, openai

Application-Layer DDoS Attack Protection with HAProxy

2018-11-09T18:29:53+00:00

Application-Layer DDoS Attack Protection with HAProxy

Thorough.

Via Hacker News

Tags: denial-of-service, haproxy

The Mirai Botnet Was Part of a College Student Minecraft Scheme

2017-12-15T03:18:52+00:00

The Mirai Botnet Was Part of a College Student Minecraft Scheme

Fascinating story about last year’s Mirai botnet, which was originally developed to help corner the Minecraft server market.

Tags: denial-of-service, security, minecraft

Django security updates released

2009-10-10T00:24:59+00:00

Django security updates released

A potential denial of service vulnerability has been discovered in the regular expressions used by Django form library’s EmailField and URLField—a malicious input could trigger a pathological performance. Patches (and patched releases) for Django 1.1 and Django 1.0 have been published.

Tags: denial-of-service, django, python, regular-expressions, security

DoS vulnerability in REXML

2008-08-23T11:11:13+00:00

DoS vulnerability in REXML

Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming.

Tags: billionlaughs, denial-of-service, rails, rexml, ruby, security, xml

Django security fix released

2007-10-26T21:47:44+00:00

Django security fix released

Django’s internationalisation system has a denial of service hole in it; you’re vulnerable if you are using the i18n middleware. Fixes have been made available for trunk, 0.96, 0.95 and 0.91.

Tags: denial-of-service, django, i18n, python, security, vulnerability

Defending web applications against dictionary attacks

2004-01-22T01:02:07+00:00

Over at Reflective Surface, Ronaldo M. Ferraz discusses the usability of an authentication system that locks down an account for a certain period of time after three failed login attempts. Ronaldo sees this as a trade off between usability and security, but I see it more as an added security issue in that it allows malicious third parties to lock other user's accounts armed only with their username.

The problem then is how best to defend web applications against brute force password guessing attacks without enabling denial of service attacks at the same time. The largest risk is from automated scripts that try every possible password until they get in. Identifying these attacks should be trivial - a real user could potentially fail a dozen or so times, but would be unlikely to try hundreds of combinations in quick succession. Assuming a malicious cracking attempt has been identified, what steps should a system take to foil the attack while still allowing the real user to access the site?

I can think of a few options, none of which seem like the ideal solution:

Ban login requests from the attacker's IP address. This introduces the usual problems with IP banning, namely the risk of banning a whole bunch of people indiscriminately but leaving the attacker free to skip the ban using open web proxies.
Lock the user's account and email them a warning of the attack and a special key needed to unlock the account again. This relies on the user having access to their email account when they next have a need to access the system. It also assumes that the user's email account is secure, but since both the user's password and the secret unlocking key will be required to access the system email security is of less importance (the user's password is not sent with the unlock key).
Send an automated alert to a system administrator so they can analyze the situation in real time and take any necessary action. This relies on administrators being available 24/7 - hardly a safe assumption for most systems.
After a certain number of failed attempts, challenge the user to "prove their humanity" with one of those obscured-text-as-image things. This comes with accessibility issues which have as yet been unresolved.

If anyone has any better solutions, please leave a comment.

Tags: denial-of-service, security

Contribute hammering FTP servers?

2003-11-17T23:34:25+00:00

We're having a problem at work with Macromedia Contribute. We host sites for a number of local companies, and one of them wants to use Contribute to update its site. The problem is that whenever Contribute tries to connect to our FTP server, it opens up 30 simultaneous connections, effectively running a denial of service that prevents other clients from logging in during peak times. I've searched the 'net and haven't found any references to this problem; does anyone know anything about the issue? We're running ProFTPD 1.2.9 and the client is using Macromedia Contribute 2.

Tags: denial-of-service

Fighting Filters and DDoS

2003-09-02T00:55:15+00:00

Paul Graham's essays on fighting spam are generally excellent; it was Paul who sparked the recent flurry of activity surrounding Bayesian statistical filters and inspired the creation of some of the best tools for fighting spam yet. Paul's latest suggestion, Filters that fight back, seems to me to miss the mark in a big way. Paul suggests email servers should "follow" links in any email received. This would turn the tables on spam, as suddenly sending out a million spams would result in a million useless hits to the site being promoted, quickly brining it to its knees. It's a great concept, until some malicious script kiddie realises that they've been handed a tool to run massive distributed denial-of-service attacks on any domain they care to target. Not to mention that such a feature would make many legitimate mass email tools prohibitively expensive to run.

Update: It turns out that this issue has already been discussed in the FAQ attached to the essay. The suggested solution is to use a blacklist, with servers only hitting sites that are linked to from an email and listed on the blacklist.

Tags: denial-of-service, paul-graham, spam