Two
guys from Germany conducted a presentation two days ago at the 28c3 conference
in Berlin about efficient Denial-of-Service attacks.
The
described attack utilizes a common mechanism design flaw that can lead to an
easy to conduct DoS, the vulnerability was found in most of web technologies
including .NET, PHP, and Java, amongst others.
On
the technical side they have harnessed a feature in the POST mechanism that
translates the data to a deterministic hash table and by engineering the
provided input to result in a hash collision condition, they can achieve a very
efficient Denial-of-Service.
They
released an advisory containing the details on the attack and some numbers to
glance over.
Ruby
was fast to respond
and Microsoft responded with a partial
fix yesterday. Others are expected to be releasing their appropriate
patches over the weekend.