Is it possible to perform a denial of service attack on an asynchronous web service? Isn't the operating system supposed to release the thread? It shouldn't matter if someone attacking a system would be throwing thousands/millions of requests per second at that server.
Does anyone have an opinion on this?
If, by asynchronous, you mean a web server like vertx/undertow that puts requests onto an event bus an handles them from a thread pool, then DoS should still be possible, though you may require a higher load if you do an L7 flooding attack than when DoS-ing a threaded server like Apache.
The OS is indeed not creating and blocking a single thread per request, and instead serving from a pool of event-driven workers, which means that CPU exhaustion is harder to achieve. However, at the network level, there are still a large number of open connections, and the system may still run out of file descriptors and be unable to handle new connections.
Indeed, I did some simple testing to benchmark Apache Tomcat v/s vertx and found that on identically configured AWS EC2 instances, vertx has a capacity that is four times higher than Apache, but still crashes even from a single L7 flood generator.
