1 / 19

Universal HTTP Denial-of-Service - PowerPoint PPT Presentation

  • Updated On :

Universal HTTP Denial-of-Service. About Hybrid. Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound transactions Minimizing false rejects typical to signature-based solutions. How Would You Like Your Website? Slow or DEAD ?.

Related searches for Universal HTTP Denial-of-Service

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Universal HTTP Denial-of-Service' - liam

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Universal HTTP Denial-of-Service

Slide2 l.jpg

About Hybrid

  • Creating web-business-logic security

  • Doing cool stuff in AI research

  • Optimizing acceptance rate for Web-bound transactions

  • Minimizing false rejects typical to signature-based solutions

How would you like your website slow or dead l.jpg
How Would You Like Your Website?Slow or DEAD?

  • Slowloris abuses handling ofHTTP request headers ssslooowly…

  • Written by RSnake

  • Iteratively injects one custom header at a time and goes to sleep

  • Web server vainly awaits the line space that will never come 

  • Stuck in phase I forever. Kinda like Tron

  • R-U-Dead-Yet? abuses HTTP web form fields

  • Iteratively injects one custom byte into a web application post field and goes to sleep

  • Application threads become zombies awaiting ends of posts till death lurks upon the website

  • Stuck in phase II forever. Kinda like Tron sequels

Slowloris l.jpg

According to HTTP RFC 2616:

Request = Request-Line

*(( general-header

| request-header

| entity-header ) CRLF)


[ message-body ]

Slowloris6 l.jpg

GET http://www.google.com/ HTTP/1.1

Host: www.google.com

Connection: keep-alive

User-Agent: Mozilla/5.0

X-a: b

X-a: b

X-a: b

X-a: b

X-a: b

X-a: b

Slowloris7 l.jpg


Patching apache l.jpg
Patching Apache

  • Use Apache Patchto moderate average timeout thresholds(Link at end of presentation)

According to spiderlabs l.jpg
According to SpiderLabs:

  • ModSecurity >=2.5.13

  • Add directive: “SecReadStateLimit 5”

  • Then ModSecurity Alerts like this:“ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from - Possible DoS Consumption Attack [Rejected] ”

R u d y l.jpg

POST http://victim.com/

Host: victim.com

Connection: keep-alive

Content-Length: 1000000

User-Agent: Mozilla/5.0

Cookie: __utmz=181569312.1294666144.1.1


Vulnerability discovered by Tom Brennan

and Wong Onn Chee:


R u d y12 l.jpg


Waging war upon scada14 l.jpg
Waging War Upon SCADA

  • Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges

  • R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth

R u d y mitigation l.jpg
R-U-D-Y Mitigation

  • Add directive: “RequestReadTimeout body=30”

  • Add a rule:SecRule RESPONSE_STATUS "@streq 408“ \ "phase:5,t:none,nolog,pass, \setvar:ip.slow_dos_counter=+1,expirevar:ip. \slow_dos_counter=60"SecRule IP:SLOW_DOS_COUNTER "@gt 5“ \ "phase:1,t:none,log,drop, \msg:'Client Connection Dropped due to high \ # of slow DoS alerts'"

Other potential attack vectors l.jpg
Other (potential?) Attack Vectors

  • Complex structures such as: SOAP, JSON, REST

  • Encapsulated protocols such as: SIP, AJAX binary streams

Future research l.jpg
Future Research

  • Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input

  • Use nested and/or broken data structures to detect server-side zombie behavior

If we knew what it was we were doing, it would not be called research, would it?

(Albert Einstein)

Reference l.jpg

  • SlowLoris:http://ha.ckers.org/slowloris/

  • Anti-SlowLoris Patch:http://synflood.at/tmp/anti-slowloris.diff

  • Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html

  • R.U.D.Y:http://hybridsec.com/tools/rudy/

  • Chapters In Web Security:http://chaptersinwebsecurity.blogspot.com

Slide19 l.jpg

Thank You