什么是DoS？ (What is DoS?)

Before we dig into the “Billion Laughs” attack or how to go about protecting your applications, let me give a quick overview of what DoS is. DoS stands for denial-of-service and makes up a general class of attacks designed to restrict the Availability of an application, service, or company. DoS attacks are fascinating in part because of the huge amount of variability in how they’re executed. I won’t go into much detail here, but here’s are some historic DoS attacks:

在深入探讨“十亿个笑声”攻击或如何保护您的应用程序之前，让我快速概述一下什么是DoS。 DoS代表拒绝服务，它构成了旨在限制应用程序，服务或公司的可用性的一般攻击。 DoS攻击之所以令人着迷，部分原因是其执行方式的巨大差异。 我在这里不会详细介绍，但是这里有一些历史性的DoS攻击：

DoS attacks generally exist in one of two broad classes, Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS). Both have the same general intent in mind, but they take very different forms.

DoS攻击通常以拒绝服务(DoS)和分布式拒绝服务(DDoS)两大类之一存在。 两者都有相同的总体意图，但是形式却截然不同。

拒绝服务 (DoS)

DoS attacks are perpetrated by a single attacker and their goal is to make an application, service, or machine unavailable by either flooding it with more request than it can handle, or otherwise consuming resources or processing in such a way that legitimate requests cannot be handled. Within DoS there are two primary categories, Application attacks and Network attacks.

DoS攻击由单个攻击者实施，其目标是通过向应用，服务或计算机发送超出其处理能力的更多请求，或者以无法处理合法请求的方式消耗资源或处理，从而使应用，服务或计算机不可用。 在DoS中，有两个主要类别，即应用程序攻击和网络攻击。

Network attacks, regardless of how they’re executed, generally aim to saturate bandwidth or overwhelm a server by brute force or a flood of malformed requests. DoS Network attacks aren’t too common anymore due to basic firewall configuration and the ability of servers to handle traffic from a single malicious client.

网络攻击，无论如何执行，通常旨在通过蛮力或大量不正确的请求来饱和带宽或淹没服务器。 由于基本的防火墙配置以及服务器处理来自单个恶意客户端的流量的能力，DoS网络攻击已不再普遍。

Application layer attacks, also sometime called Layer 7 attacks, involve putting operation strain on the software serving the requests in such a way that it cannot handle additional requests — this is what we’ll be looking at with the Billion Laughs attack.

应用程序层攻击(有时也称为第7层攻击)涉及对服务于请求的软件施加操作压力，使其无法处理其他请求，这就是“十亿笑”攻击所要解决的问题。

拒绝服务 (DDoS)

DDoS attacks are denial-of-service attacks in which more that one attacking machines participate. With the rising prevalence of IoT botnets, DDoS attacks are on the upswing.

DDoS攻击是一种拒绝服务攻击，其中一台以上的攻击机参与其中。 随着物联网僵尸网络的普及，DDoS攻击呈上升趋势。

DDoS attacks appear to be ramping up in terms of magnitude, if not also frequency. The proliferation of IoT devices with poor security controls has led to massive botnets such as Mirai. The controllers of these botnets can rent them out to other malicious actors to power massive DDoS attacks, such as the one against Dyn that crippled large parts of the internet in 2016.

DDoS攻击似乎在数量级上呈上升趋势，甚至在频率上也呈上升趋势。 安全控制不力的物联网设备的激增导致Mirai等大型僵尸网络的出现。 这些僵尸网络的控制器可以将其出租给其他恶意行为者，以发起大规模的DDoS攻击，例如针对Dyn的一次攻击，该攻击在2016年破坏了互联网的大部分。

DDoS attacks can also be perpetrated by large groups of active users using simple tools, like in the DDoS attack by Anonymous against a number of financial institutions in 2010 following their refusal to process payments for “News” site Wikileaks.

大量活跃用户也可以使用简单的工具进行DDoS攻击，例如匿名用户在2010年拒绝处理“新闻”网站Wikileaks的付款后，对许多金融机构进行的DDoS攻击 。

十亿笑 (A Billion Laughs)

The Billions Laughs attack is an Application DoS attack aimed at document parsers, typically XML or YAML. It may also be referred to as an XML Bomb. The attack works by having a single base element, which refers to an entity which in turn refers to 10 additional entities, each of which refers to an additional 10 entities, and so on until it ends with a terminating entity that doesn’t refer to any further entities. When parsed this small XML document will be inflated to include a very large number of the terminating entity. The name a “Billion Laughs” comes from the tendency to use “lol” and the entity name, so a fully inflated document would contain a billion “lol”s.

Billions Laughs攻击是一种针对文档解析器的Application DoS攻击，通常是XML或YAML。 它也可以称为XML炸弹。 该攻击的工作方式是只有一个基本元素，该基本元素指的是一个实体，该实体又指的是另外10个实体，每个实体都指另外的10个实体，依此类推，直到它以不涉及的终止实体结束任何其他实体。 解析时，这个小的XML文档将被夸大以包含大量的终止实体。 “十亿笑”的名称源于使用“大声笑”的倾向和实体名称，因此完全膨胀的文档将包含十亿“大笑”。

If you attempt to parse this file using the standard library xml.etree.ElementTree it will cause the attack to be triggered and this ~800 byte XML file will result in ~3Gb of memory being used to parse. For this reason I decided to run the experiment in a docker container, with docker imposing a 1Gb limit set in Docker for Mac. My test run script attempts to parse the file using python in the background and logs out the memory usage every second. It only takes about 10 seconds before the process is killed. You can view my setup files here.

如果尝试使用标准库xml.etree.ElementTree解析此文件，它将导致触发攻击，并且此xml.etree.ElementTree字节的XML文件将导致〜3Gb的内存用于解析。 因此，我决定在Docker容器中运行实验，并在Docker for Mac中将Docker设置为1Gb限制。 我的测试运行脚本尝试在后台使用python解析文件，并每秒注销内存使用情况。 杀死进程仅需大约10秒钟。 您可以在此处查看我的安装文件。

$ Docker build . -t vulnerable && docker run vulnerable
...
Using: 7788 Kb
Using: 230172 Kb
Using: 502340 Kb
Using: 779064 Kb
Using: 956980 Kb
Using: 1102780 Kb
Using: 1252228 Kb
Using: 1389968 Kb
Using: 1515664 Kb
Using: 1692576 Kb
./run.sh: line 13:     6 Killed                  python vulnerable.py

保护 (Protection)

The library defusedxml was created solely for this purpose. In addition to the Billion Laughs attack, there are several other forms of XML bombs, all of which defusedxml was created to handle. This library was designed to replace the standard xml library’s functionality in a safe way.

创建库defusedxml仅用于此目的。 除了Billion Laughs攻击之外，还有其他几种形式的XML炸弹，所有这些defusedxml都是创建来处理的。 该库旨在以安全的方式替换标准xml库的功能。

Where you would normally do the following to parse an xml file

通常在以下位置解析xml文件的位置

from xml.etree.ElementTree import parseet = parse(<xml>)

you can change to this to protect yourself from XML bombs in your python applications.

您可以更改为此项以保护自己免受python应用程序中的XML炸弹攻击。

from defusedxml.ElementTree import parseet = parse(<xml>)

结论 (Conclusion)

As you can see, preventing XML bomb attacks in python is a pretty trivial low hanging fruit to improve your application’s security. Unfortunately there’s no such magic bullet for many other forms of DoS attacks, and DDOS protection is often a risk that can only be mitigated with a high price tag (and even then there are no guarantees). You can view all my code related to this blog here.

如您所见，防止python中的XML炸弹攻击是提高应用程序安全性的一个琐碎的小事。 不幸的是，对于许多其他形式的DoS攻击并没有这种灵丹妙药，而且DDOS保护通常是一种风险，只有付出高昂的代价才能缓解(即使那样也无法保证)。 您可以在此处查看与该博客相关的所有代码。

Hey, I’m Andrew Scott, a software developer and the creator of Ochrona. Ochrona focuses on improving python security by providing insights into your project’s dependencies and doing so with a major focus on Developer Experience (DX). Sign up for our Mailing List :)

嗨，我是软件开发人员兼Ochrona的创建者Andrew Scott。 Ochrona通过提供对项目的依赖关系的洞察力来专注于提高python安全性，并着重于开发人员体验(DX)。 订阅我们的邮件列表 :)