190 likes | 500 Views
Universal HTTP Denial-of-Service. About Hybrid. Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound transactions Minimizing false rejects typical to signature-based solutions. How Would You Like Your Website? Slow or DEAD ?.
E N D
About Hybrid • Creating web-business-logic security • Doing cool stuff in AI research • Optimizing acceptance rate for Web-bound transactions • Minimizing false rejects typical to signature-based solutions
How Would You Like Your Website?Slow or DEAD? • Slowloris abuses handling ofHTTP request headers ssslooowly… • Written by RSnake • Iteratively injects one custom header at a time and goes to sleep • Web server vainly awaits the line space that will never come • Stuck in phase I forever. Kinda like Tron • R-U-Dead-Yet? abuses HTTP web form fields • Iteratively injects one custom byte into a web application post field and goes to sleep • Application threads become zombies awaiting ends of posts till death lurks upon the website • Stuck in phase II forever. Kinda like Tron sequels
SlowLoris According to HTTP RFC 2616: Request = Request-Line *(( general-header | request-header | entity-header ) CRLF) CRLF [ message-body ]
SlowLoris GET http://www.google.com/ HTTP/1.1 Host: www.google.com Connection: keep-alive User-Agent: Mozilla/5.0 X-a: b X-a: b X-a: b X-a: b X-a: b X-a: b
SlowLoris DEMO
Patching Apache • Use Apache Patchto moderate average timeout thresholds(Link at end of presentation)
According to SpiderLabs: • ModSecurity >=2.5.13 • Add directive: “SecReadStateLimit 5” • Then ModSecurity Alerts like this:“ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from 211.144.112.20 - Possible DoS Consumption Attack [Rejected] ”
R-U-D-Y POST http://victim.com/ Host: victim.com Connection: keep-alive Content-Length: 1000000 User-Agent: Mozilla/5.0 Cookie: __utmz=181569312.1294666144.1.1 username=AAAAAAAAAAAAAAAAAAAAAAAAA… Vulnerability discovered by Tom Brennan and Wong Onn Chee: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
R-U-D-Y DEMO
Waging War Upon SCADA • Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges • R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth
R-U-D-Y Mitigation • Add directive: “RequestReadTimeout body=30” • Add a rule:SecRule RESPONSE_STATUS "@streq 408“ \ "phase:5,t:none,nolog,pass, \setvar:ip.slow_dos_counter=+1,expirevar:ip. \slow_dos_counter=60"SecRule IP:SLOW_DOS_COUNTER "@gt 5“ \ "phase:1,t:none,log,drop, \msg:'Client Connection Dropped due to high \ # of slow DoS alerts'"
Other (potential?) Attack Vectors • Complex structures such as: SOAP, JSON, REST • Encapsulated protocols such as: SIP, AJAX binary streams
Future Research • Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input • Use nested and/or broken data structures to detect server-side zombie behavior If we knew what it was we were doing, it would not be called research, would it? (Albert Einstein)
Reference • SlowLoris:http://ha.ckers.org/slowloris/ • Anti-SlowLoris Patch:http://synflood.at/tmp/anti-slowloris.diff • Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html • R.U.D.Y:http://hybridsec.com/tools/rudy/ • Chapters In Web Security:http://chaptersinwebsecurity.blogspot.com
Thank You raviv@hybridsec.com