224026 - Holding down F5 (Reload) can be used as a DOS attack

Status: RESOLVED INVALID

(SeaMonkey :: General, defect)

Description

[Martin Dougiamas]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007

On Mozilla in Windows, pressing down F5 will reload the page, which is fine.

However, holding down this key will cause Mozilla to send new requests to the
web site as fast as it can, issuing thousands of requests within seconds.  If
the page is a dynamic one (eg PHP+MySQL) then this can put a high load on the
server as it struggles under thousands of script and database calls.

Effectively, the F5 key in Mozilla (and IE) can function as a very simple
denial-of-service attack.

A solution is to rate-limit the repeats, or simply require one key press per reload.

Reproducible: Always

Steps to Reproduce:
1. Find dynamically-generated site on slowish server
2. Press F5


Actual Results:  
The site crumbles and stops serving pages

Expected Results:  
Not sent so many reload requests.

Comment 1

[Asa Dotzler [:asa]]

either dupe of bug 71074 or invalid. going with invalid. 

Comment 2

[Martin Dougiamas]

This is most definitely a real bug, though it might only be a real problem on
web servers that are very close (ie in the same LAN).  In my community it's
become a popular exploit for kids who want to bring down their school web server
just before doing an online quiz.

I agree, though, that it's one facet of the more general problem described in
bug 71074.  NONE of the control keys (or function keys) should auto-repeat.  I
will post a comment in bug 71074 to ensure that F5 is taken into account.

Comment 3

[Martin Dougiamas]

Actually, I just did some testing using 1.6b and it seems something has changed
recently!   Yay!   Mozilla no longer spams the server with requests.

It's not a change in system settings - I can still use IE6 to bring down a local
server by pressing F5.