0

Can anyone explain why limiting the maximum request body size is useful for preventing DoS attacks? ModSecurity defaults to 1MB for example with SecRequestBodyNoFilesLimit.

I guess I'm wondering why this matters that much since I thought usually DoS attacks (not necessarily DDoS ones) relied on something that was cheap for the attacker and expensive for the server being attacked.

If request bodies are limited to 1MB instead of 10MB for example, wouldn't the attacker just do ten 1MB requests in a row instead of one 10MB request in the same amount of time (assuming there wasn't some rate limiting of requests of course)?

Is this mainly because of application-level problems which may be cause a very large request body to have multiplicative effects with regards to being able to deny service (i.e. it's just a general precaution which may or may not be necessary depending on the application), or is there something I'm missing and it is always beneficial?

sa289
  • 1,308
  • 2
  • 17
  • 42

2 Answers2

0

I thought usually DoS attacks (not necessarily DDoS ones) relied on something that was cheap for the attacker and expensive for the server being attacked.

That was the case before the advent of large-scale botnets. Now, everything is cheap for the attacker since they're not paying for any of the bandwidth.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • What's the difference between them doing ten 1MB requests vs one 10MB one though? Just easier to block if in the case of DDoS because ten large requests is easy for a DDoS preventer to identify as malicious and block that IP? – sa289 Oct 29 '15 at 01:46
0

I think this has to do with RAM-usage DoS prevention. If the maximum request body size is 100MB, then 100 concurrent requests could use up to 10,000MB (100MB*100) of RAM vs only 100MB total (1MB*100) if the maximum request body size is 1MB. This is assuming the web server buffers the request body in memory, which I think is the case except for file uploads.

sa289
  • 1,308
  • 2
  • 17
  • 42