[wp-testers] WordPress 2.0.1 Remote DoS Exploit?

[Robert Deaton]

On 3/10/06, Jeffrey Leung <curriegrad2004 at gmail.com> wrote:
> Ouch. That's a blow to WordPress Users.

If you really believe that, feel free to take it up with the
developers on the hackers list or on IRC, however, first consider the
following:

The reason that this could even cause a DOS is because it causes a
MySQL write. However, in order for any sort of protection, you need to
do a second write logging some action, which can cause twice the
strain on the server. Sure, it protects against a silly little script
like the one posted above, but what happens when there is a real DOS,
not a kiddie perl script. A DOS where the registration is bounced out
across a couple hundred proxy servers. Are you going to do two writes
on each register, bringing down your server twice as fast? [see this
reply from a hackers thread on a plugin to help fight a dos:
http://comox.textdrive.com/pipermail/wp-hackers/2006-March/005294.html]

Any DOS to any page can easily bring down most servers on resources
alone, and it is not a PHP application's duty to protect this, as in
most cases, attempts are in vain, and most application level DOS
protection aids in the DOS of a site (heck, I've seen some software
shut the site down because it believes there is a DOS, basically
giving in to the point of a DOS). PHP and MySQL in all their glory on
one machine will not hold up against even a simple DOS, and no matter
what WordPress does, there will be ways to DOS, there is no avoiding
the problem. Even a site running wp-cache2 which pulls cached html
from disk will die under a moderate DOS, there's only so much hardware
and underlying software such as the webservers can take. In the end,
building application level DOS protection is a lesson in futility.

--
--Robert Deaton
http://somethingunpredictable.com