EoP Threat Suits - D (Denial of Service)
Denial of Service (D) is the fifth suit of threats in the STRIDE threat enumeration.
Denial of Service describes any threat that allows an attacker (or accidentally causes a user/service) to prevent, or reduce, legitimate access to services or data which the application should be providing. Accordingly, the characters on the cards are green brown and yellow attacker faces whose open mouths indicate that they are shouting loudly to drown everyone else out.
Denial of Service threats are generally countered through quality implementations of Throttling and Authentication.
Another successful way to mitigate Denial of Service is to not care about the availability of data or service - this only works if you are comfortable with attackers or events causing a loss of function (this Wiki is not an example of what happens in this model!). Ignoring availability and hoping that attackers will bring your service to a grinding halt is not a valid mitigation strategy.
The cards in the Denial of Service suit are as follows:
Denial of Service Suit |
||
Value |
Threat |
Example / Mitigation |
2 |
An attacker can make your authentication system unusable or unavailable |
Example: Mitigation: |
3 |
An attacker can make a client unavailable or unusable but the problem goes away when the attacker stops |
Example: Mitigation: |
4 |
An attacker can make a server unavailable or unusable but the problem goes away when the attacker stops |
Example: Mitigation: |
5 |
An attacker can make a client unavailable or unusable without ever authenticating but the problem goes away when the attacker stops |
Example: Mitigation: |
6 |
An attacker can make a server unavailable or unusable without ever authenticating but the problem goes away when the attacker stops |
Example: Mitigation: |
7 |
An attacker can make a client unavailable or unusable and the problem persists after the attacker goes away |
Example: Mitigation: |
8 |
An attacker can make a server unavailable or unusable and the problem persists after the attacker goes away |
Example: Mitigation: |
9 |
An attacker can make a client unavailable or unusable without ever authenticating and the problem persists after the attacker goes away |
Example: Mitigation: |
10 |
An attacker can make a server unavailable or unusable without ever authenticating and the problem persists after the attacker goes away |
Example: Mitigation: |
J |
An attacker can cause the logging subsystem to stop working |
Example: Mitigation: |
Q |
An attacker can amplify a Denial of Service attack through this component with amplification on the order of 10:1 |
Example: Mitigation: |
K |
An attacker can amplify a Denial of Service attack through this component with amplification on the order of 100:1 |
Example: Mitigation: |
A |
You’ve invented a new Denial of Service attack |
Example: Mitigation: |
[When completed, each card description above will link to a copy of the card, along with examples of the threat and some specific mitigation steps. Point to Patterns & Practices documents, excerpts from Writing Secure Code, etc, where possible. Emphasise that the information is already out there, so that dev teams widen their horizons.]