What is ReDoS? Understanding Regular Expression Denial of Service Attacks

Denial-of-service (DOS) attacks overwhelm a company’s servers to ensure that it cannot function correctly. From this state, they are unable to make sales, communicate with customers, or continue their business operations. Hackers are increasingly interested in these attacks, as they provide a low-cost, high-efficiency method of interrupting business services, which they can then leverage for ransom.

ReDoS (Regular Expression Denial-of-Service) attacks form a core part of modern DoS strategy, offering hackers a way of achieving DoS without needing the same starting pool of resources. As this threat becomes more prominent, businesses must endeavor to integrate defenses to protect their systems against ReDoS attacks to decrease the likelihood of their company falling prey to this attack vector.

In this article, we’ll explore everything you need to know about ReDoS attacks, including what they are, how they work, and how your business can keep itself safe.

What is ReDoS?

A ReDoS attack operates similarly to all other Denial-of-Service attacks, where hackers utilize strategies to consume a company’s server resources and leave their website and connected applications completely inoperable. A ReDoS attack exploits the regular expression (regex) engine that is commonly used in programming.

Part of why ReDos attacks can be so powerful is that they don’t require a huge volume of requests. In traditional DDoS attacks, a hacker will need access to large networks of corrupted devices to send bot traffic, while a single request can trigger a ReDos attack. Without effective protection against this, it could be one of the easiest methods that hackers use to reduce a company’s systems to an inoperational level.

According to 2022 data from Statista, around 25% of companies across the globe are worried about their ability to manage the rising DOS threat. As an emerging attack vector that’s gaining prominence, businesses must understand what ReDoS attacks are and how they can mitigate them in their organization.

How ReDoS attacks work

ReDoS attacks stem from exploitations in regex engines (regular expressions). Regular expressions are vital in programming and are often used in string validation, manipulation, and parsing. These expressions are sequences of characters that relate to a certain search pattern in the system. When a regex engine attempts to process an input that is unusually complex or disorganized, it will expend resources to do so.

Hackers can exploit this vulnerability by identifying a regex pattern that will confuse the system and make it execute, spending its resource pool to do so. With incredibly complex regular expressions, a regex engine may spend an infinite amount of time processing the request, completely exhausting the system’s resources and leading to inoperability.

When a system starts to expend all of its resources on the regex engine, it will no longer be able to interact with other requests and deliver data to other users that try and access the system. Just like in a traditional DDoS attack, this would leave all of a company’s web pages and servers in a state where they are unable to properly function.

Protecting against ReDoS attacks

While ReDoS attacks present a major concern for business security, there are numerous strategies that teams can employ to protect their systems from this specific exploit.

Especially if a hacker wants to target your business with a DoS attack, they will likely first try with ReDoS, as these take the least amount of resources from the attacker’s end. Preventing these exploits will force the hacker to move to other strategies like DDoS, which you may already have more extensive security for.

Here are a few examples of methods your business can use to prevent ReDoS attacks in your business:

• Monitor Backtracking with Possessive Quantifiers: Backtracking in regular expressions is when a regex engine has to look through previously saved states for an exact match. Hackers can use a string that requires backtracking for something that doesn’t exist, creating an infinite search that consumes resources. To avoid this, businesses can use possessive quantifiers that ensure certain quantifiers never backtrack once they meet a certain part of the input string.
• Use Load Balancing and Back Ups: ReDos attacks only work if they can overwhelm all of the servers that your business has available to it. To avoid this completely, you can simply use load balancing across multiple servers. When one experiences a ReDoS attack, other servers can act as a backup to jump in to provide resources for other user requests.
• Deploy Comprehensive Testing: While manual security processes are time-consuming, it’s worth making your security experts manually examine potential redex expressions to check for potential exploits. Alternatively, you could use regex tools to test numerous inputs simultaneously.

While not an exhaustive list of security considerations to prevent ReDoS attacks, these demonstrate the ability of businesses to pinpoint and overcome the threat of this attack vector.

Overcoming the ReDoS threat

ReDoS presents a major threat to businesses that are unprepared for this threat vector. But, like many threats, effective preparation can vastly reduce the significance of ReDoS in your organization.

By incorporating technologies that mitigate ReDoS attacks and monitor your systems to flag any malicious behavior, your business will stay one step ahead of threats and keep your data safe. If possible, seek out DDoS protection that extends to ReDoS or enlist specialized security tools to test your regex engine for vulnerabilities.