Universal
Download
1 / 19

Universal HTTP Denial-of-Service - PowerPoint PPT Presentation


  • 267 Views
  • Updated On :

Universal HTTP Denial-of-Service. About Hybrid. Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound transactions Minimizing false rejects typical to signature-based solutions. How Would You Like Your Website? Slow or DEAD ?.

Related searches for Universal HTTP Denial-of-Service

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Universal HTTP Denial-of-Service' - liam


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Universal HTTP Denial-of-Service


Slide2 l.jpg

About Hybrid

  • Creating web-business-logic security

  • Doing cool stuff in AI research

  • Optimizing acceptance rate for Web-bound transactions

  • Minimizing false rejects typical to signature-based solutions


How would you like your website slow or dead l.jpg
How Would You Like Your Website?Slow or DEAD?

  • Slowloris abuses handling ofHTTP request headers ssslooowly…

  • Written by RSnake

  • Iteratively injects one custom header at a time and goes to sleep

  • Web server vainly awaits the line space that will never come 

  • Stuck in phase I forever. Kinda like Tron

  • R-U-Dead-Yet? abuses HTTP web form fields

  • Iteratively injects one custom byte into a web application post field and goes to sleep

  • Application threads become zombies awaiting ends of posts till death lurks upon the website

  • Stuck in phase II forever. Kinda like Tron sequels


Slowloris l.jpg
SlowLoris

According to HTTP RFC 2616:

Request = Request-Line

*(( general-header

| request-header

| entity-header ) CRLF)

CRLF

[ message-body ]


Slowloris6 l.jpg
SlowLoris

GET http://www.google.com/ HTTP/1.1

Host: www.google.com

Connection: keep-alive

User-Agent: Mozilla/5.0

X-a: b

X-a: b

X-a: b

X-a: b

X-a: b

X-a: b


Slowloris7 l.jpg
SlowLoris

DEMO



Patching apache l.jpg
Patching Apache

  • Use Apache Patchto moderate average timeout thresholds(Link at end of presentation)


According to spiderlabs l.jpg
According to SpiderLabs:

  • ModSecurity >=2.5.13

  • Add directive: “SecReadStateLimit 5”

  • Then ModSecurity Alerts like this:“ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from 211.144.112.20 - Possible DoS Consumption Attack [Rejected] ”


R u d y l.jpg
R-U-D-Y

POST http://victim.com/

Host: victim.com

Connection: keep-alive

Content-Length: 1000000

User-Agent: Mozilla/5.0

Cookie: __utmz=181569312.1294666144.1.1

username=AAAAAAAAAAAAAAAAAAAAAAAAA…

Vulnerability discovered by Tom Brennan

and Wong Onn Chee:

http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf


R u d y12 l.jpg
R-U-D-Y

DEMO



Waging war upon scada14 l.jpg
Waging War Upon SCADA

  • Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges

  • R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth


R u d y mitigation l.jpg
R-U-D-Y Mitigation

  • Add directive: “RequestReadTimeout body=30”

  • Add a rule:SecRule RESPONSE_STATUS "@streq 408“ \ "phase:5,t:none,nolog,pass, \setvar:ip.slow_dos_counter=+1,expirevar:ip. \slow_dos_counter=60"SecRule IP:SLOW_DOS_COUNTER "@gt 5“ \ "phase:1,t:none,log,drop, \msg:'Client Connection Dropped due to high \ # of slow DoS alerts'"


Other potential attack vectors l.jpg
Other (potential?) Attack Vectors

  • Complex structures such as: SOAP, JSON, REST

  • Encapsulated protocols such as: SIP, AJAX binary streams


Future research l.jpg
Future Research

  • Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input

  • Use nested and/or broken data structures to detect server-side zombie behavior

If we knew what it was we were doing, it would not be called research, would it?

(Albert Einstein)


Reference l.jpg
Reference

  • SlowLoris:http://ha.ckers.org/slowloris/

  • Anti-SlowLoris Patch:http://synflood.at/tmp/anti-slowloris.diff

  • Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html

  • R.U.D.Y:http://hybridsec.com/tools/rudy/

  • Chapters In Web Security:http://chaptersinwebsecurity.blogspot.com


Slide19 l.jpg

Thank You

raviv@hybridsec.com