n.
An online attack that attempts to disable a website by sending a specially formatted sequence of characters such as "lol" and "ha".
Example Citations:This is called the "Billion Laughs" attack—without going too far into the nuances of XML trickery, you can see that this file has a series of ENTITY entries, each of which references and expands to the ones above it. So the file grows exponentially in memory when it is parsed, consumes CPU cycles, and mushrooms in size to eat up the memory space of its host computer.
—Bill Hines et al., IBM WebSphere DataPower SOA Appliance Handbook: http://books.google.com/books?id=acullmuy8zEC&pg=PT944&dq=%22billion+laughs+recursion+attack%22&hl=en&sa=X&ei=IVJGT8iLGdC50QHYh5GGDg&redir_esc=y\#v=onepage&q=%22billion%20laughs%20recursion%20attack%22&f=false, IBM Press, January 3, 2009
Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server written in Erlang, is vulnerable to the so-called "billion laughs" attack because it does not prevent entity expansion on received data.
—" Debian Security Advisory: DSA-2248-1 ejabberd — denial of service: http://www.debian.org/security/2011/dsa-2248." Debian, March 31, 2011
Earliest Citation:You can easily construct a few entities that expand to a huge result.
Depending on how your parser returns things, this may use lots of
memory or merely use up lots of cpu time.There is an example at
http://www.cogsci.ed.ac.uk/billion laughsrichard/billion-laughs.xml
I don't recommend loading this file into a browser.
—Richard Tobin, " Re: Malicious XML: http://www.stylusstudio.com/xmldev/200211/post30610.html," XML-DEV, November 5, 2002
Notes:Two thumbs pointing skyward to Grant Barrett and Paul Ford for uncovering this term.
Related Words:cracker
dark-side hacker
DDo$
distributed denial of service
kiddiot
script kiddie
zombie computer
Categories:Hacking and Hackers
Jargon
Privacy and Security