T 5.65 Denial of services in a database system

Specific methods of attack can be used to prevent the IT users from using the functions and services normally provided to them by a database system. In addition to the examples listed in T 5.28 Denial of service, this threat scenario can also arise in connection with databases under the following conditions:

Too many queries

The problem of receiving too many queries in parallel often arises on Internet databases that generate output for web browsers using interfaces, for example the Common Gateway Interface (CGI) or Active Server Pages (ASP).

Queries that are too complex

When search terms that are not stored in any table are used to search for information in large databases, the responses to such queries will take the maximum time possible because it is necessary to search through all the entries in the index table (at a minimum) in this case. When several such terms are linked together in a query using OR's, the response time for the query increases accordingly.

Incorrect statements

The parser represents the implementation in the database management system (DBMS) of the query language provided by the DBMS (e.g. SQL). The parser checks every query directed to the database for correctness according to the rules of the query language and executes the query if it passes the check. If the query language is not defined uniquely and conclusively or the query language is implemented incorrectly by the parser, then manipulated statements can be utilised to prevent the use of the services of the database if the statements are accepted by the parser. The parser checks such statements and executes them after they pass the check, which then leads to unpredictable results and possibly even a database crash.

Too much output

Unconditional queries or queries restricted using criteria encountered frequently in the database can generate very long output that can overload the DBMS under some circumstances.

Buffer overflow

A database can also be forced to fail by inducing a buffer overflow in the database system. In this case, an attacker can attempt to construct a complex query that places a high load on the DBMS, for example. In addition, the complexity of the query can be increased by adding excessively long parameter values to overload the parser. The consequences are unpredictable and can even include the crash of the DBMS or uncontrolled changes to the data.

© Federal Office for Information Security. All rights reserved.