Denial of Service

Full Title or Meme

One of the primary STRIDE classes of malicious external attacks.

Context

• Cloud Flare and others provide security support at the edge, like protection from Denial of Service (DoS) attacks.

Problem

What's the threat? Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine. When an attacker can temporarily make the system resources (processing time, storage, etc.) unavailable or unusable, we have a denial of service threat. We must protect against certain types of DoS threats for improved system availability and reliability. However, some types of DoS threats are very hard to protect against, so at a minimum, we must identify and rationalize such threats.

Solution Examples

• Okta: To protect the service for all customers, Okta APIs are subject to rate limiting. These limits mitigate denial-of-service attacks and abusive actions such as rapidly updating configurations, aggressive polling and concurrency, or excessive API calls. Okta will be turning the per-client rate limit feature to Log per client mode and subsequently into Enforce limit and log per client mode mode for all customer production and preview orgs for both OAuth 2.0 /authorize &/login/login.htm endpoints. This change is occurring because Okta has identified instances where individual clients, whether accidentally or intentionally, have consumed the rate limit capacity for the entire org causing all other clients to be blocked. This feature offers additional isolation so that each client cannot impact other clients by consuming capacity.

References