5

If i am able to access a database and delete all the files which a web app would read, would that be considered a Denial of Service attack?

It is not a duplicate of the question in the following link since the hypothesis is different, although the outcome may be equivalent:

Is unauthorised deletion an integrity or availability issue?

gibarsin
  • 69
  • 1
  • 7
  • That question is certainly related, but I'm not convinced that it's a dupe: that asks about an API that mistakenly allows for users to delete individual lines, while this is about directly deleting files. Good find though. – Mike Ounsworth Jul 14 '17 at 11:19

3 Answers3

23

Yes, in the sense that anything which "denies service" is a "denial of service".

The CIA Triad defines information security as anything which affects Confidentiality, Integrity, or Availability of the system / data.

As pointed out in comments, this is not always an "attack" since it's just as likely to be accidental. Whether this is the result of a malicious attack, an admin botching a patch install, or the building catching fire, DoS due to data loss is definitely a security risk for which organizations should have a plan in place.

Assuming it is an intentional attack, if they have enough access to the backend server to delete db files, then there are far more subtle and nefarious things they could do (like stealing the db, selectively deleting data, planting a network sniffer, etc), so a DoS is pretty much the least dangerous thing in the category of "attacker has write-access to the server's filesystem", which is why "deleting the database" is to "DoS" as "canoe" is to "vehicle": not the first thing that comes to mind, but technically counts.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    I don't think it's this clear cut. Its not a typical "DoS", you are not denying a service you are modifying data. If you delete a file on purpose you don't say "I have DoSed myself". Also DoS mitigation will not help you in this situation, you are using the wrong words to describe things. – daniel Jul 14 '17 at 12:29
  • @daniel Oh it's certainly a "typical" DoS scenario, no objection there, but to quote Jmons below, anything which "denies service" is a "denial of service". "The phrase DOS came to the public eye with DDOS, and a lot of people associate it with the easiest form, flooding", but according to the CIA Triad, anything which affects Availibility can be considered a security issue. To borrow from Schroeder below, anything from the admin botching a patch, to the cleaning staff unplugging the server, while not "attacks" are unquestionably still "denials of service". – Mike Ounsworth Jul 14 '17 at 12:42
  • 1
    Wikipedia sort of agrees with you"any attack against availability" , but that scope is too wide, NIST has done a better job saying "A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space. " – daniel Jul 14 '17 at 13:05
  • @daniel I would say that while the NIST definition covers the _typical_ way DoS / DDoS attacks work in the wild (and as I state in my answer, if you can pull off the attack described in the question, you have much bigger attacks to worry about), but I don't think it's a complete definition - in the same way that "canoes" are not the first thing that come to mind for "vehicles", they certainly still count. So, are you trying to make a point (like "deleting all your files is not a security issue") or are you just being picky about wording? – Mike Ounsworth Jul 14 '17 at 13:16
  • 1
    I'm being picky about wording, it's not a definite DoS attack, its a "from a certain perspective it could be considered a DoS attack, just as any other thing that affects availability could also be considered a DoS attack" – daniel Jul 14 '17 at 13:44
  • @daniel I think we've reached an agreement! Do my edits look better? – Mike Ounsworth Jul 14 '17 at 14:10
2

Technically? Yes. Anything that denies service is a denial-of-service, hence the name.

Colloquially? No. jrial's heavily downvoted answer explains what we usually mean when we talk about a DoS nowadays (that is, a distributed denial of service, or DDoS), and ably demonstrates how easily you will be misunderstood, in practice, if you call DB data deletion a DoS.

So really it's up to you — right or wrong, it depends on the conversational context.

Lightness Races in Orbit
  • 2,173
  • 2
  • 14
  • 15
1

Does it deny service to one or more users (including admin users) of the system? If yes, it's DoS; if no, it isn't a DoS.

What you should be more concerned about though is not how to classify the attack but rather how the attacker got access to the database in the first place.

Micheal Johnson
  • 1,746
  • 1
  • 10
  • 14