1 / 19

Universal HTTP Denial-of-Service

Universal HTTP Denial-of-Service. About Hybrid. Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound transactions Minimizing false rejects typical to signature-based solutions. How Would You Like Your Website? Slow or DEAD ?.

liam
Download Presentation

Universal HTTP Denial-of-Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Universal HTTP Denial-of-Service

  2. About Hybrid • Creating web-business-logic security • Doing cool stuff in AI research • Optimizing acceptance rate for Web-bound transactions • Minimizing false rejects typical to signature-based solutions

  3. How Would You Like Your Website?Slow or DEAD? • Slowloris abuses handling ofHTTP request headers ssslooowly… • Written by RSnake • Iteratively injects one custom header at a time and goes to sleep • Web server vainly awaits the line space that will never come  • Stuck in phase I forever. Kinda like Tron • R-U-Dead-Yet? abuses HTTP web form fields • Iteratively injects one custom byte into a web application post field and goes to sleep • Application threads become zombies awaiting ends of posts till death lurks upon the website • Stuck in phase II forever. Kinda like Tron sequels

  4. SlowLoris According to HTTP RFC 2616: Request = Request-Line *(( general-header | request-header | entity-header ) CRLF) CRLF [ message-body ]

  5. SlowLoris GET http://www.google.com/ HTTP/1.1 Host: www.google.com Connection: keep-alive User-Agent: Mozilla/5.0 X-a: b X-a: b X-a: b X-a: b X-a: b X-a: b

  6. SlowLoris DEMO

  7. SlowLoris Mitigation

  8. Patching Apache • Use Apache Patchto moderate average timeout thresholds(Link at end of presentation)

  9. According to SpiderLabs: • ModSecurity >=2.5.13 • Add directive: “SecReadStateLimit 5” • Then ModSecurity Alerts like this:“ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from 211.144.112.20 - Possible DoS Consumption Attack [Rejected] ”

  10. R-U-D-Y POST http://victim.com/ Host: victim.com Connection: keep-alive Content-Length: 1000000 User-Agent: Mozilla/5.0 Cookie: __utmz=181569312.1294666144.1.1 username=AAAAAAAAAAAAAAAAAAAAAAAAA… Vulnerability discovered by Tom Brennan and Wong Onn Chee: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf

  11. R-U-D-Y DEMO

  12. Waging War Upon SCADA

  13. Waging War Upon SCADA • Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges • R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth

  14. R-U-D-Y Mitigation • Add directive: “RequestReadTimeout body=30” • Add a rule:SecRule RESPONSE_STATUS "@streq 408“ \ "phase:5,t:none,nolog,pass, \setvar:ip.slow_dos_counter=+1,expirevar:ip. \slow_dos_counter=60"SecRule IP:SLOW_DOS_COUNTER "@gt 5“ \ "phase:1,t:none,log,drop, \msg:'Client Connection Dropped due to high \ # of slow DoS alerts'"

  15. Other (potential?) Attack Vectors • Complex structures such as: SOAP, JSON, REST • Encapsulated protocols such as: SIP, AJAX binary streams

  16. Future Research • Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input • Use nested and/or broken data structures to detect server-side zombie behavior If we knew what it was we were doing, it would not be called research, would it? (Albert Einstein)

  17. Reference • SlowLoris:http://ha.ckers.org/slowloris/ • Anti-SlowLoris Patch:http://synflood.at/tmp/anti-slowloris.diff • Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html • R.U.D.Y:http://hybridsec.com/tools/rudy/ • Chapters In Web Security:http://chaptersinwebsecurity.blogspot.com

  18. Thank You raviv@hybridsec.com

More Related