efficient denial of service attacks on web application...
TRANSCRIPT
![Page 1: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/1.jpg)
Efficient Denial of Service Attacks on Web Application
Platforms
Alexander “alech” Klinkn.runs AG
Julian “zeri” WäldeTU Darmstadt
December 28th, 2011. 28th Chaos Communication Congress. Berlin, Germany.
#hashDoS
![Page 2: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/2.jpg)
Who are we?
Julian “zeri” Wälde
theoretical security
![Page 3: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/3.jpg)
Who are we?
Alexander “alech” Klink
applied security
![Page 4: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/4.jpg)
How did we get here?
Trollhöhle (Chaos Darmstadt)
perldoc perlsec,section “Algorithmic Complexity Attacks”
Trollhöhle (Chaos Darmstadt)Trollhöhle (Chaos Darmstadt)
![Page 5: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/5.jpg)
Live demo, part I
![Page 6: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/6.jpg)
Hash table
Source: https://commons.wikimedia.org/wiki/File:Hashish.jpg, Public Domain Source: https://commons.wikimedia.org/wiki/File:Bernerhof_Large_Salon.jpg, CC-BY Sandstein
![Page 7: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/7.jpg)
Have you seen this code?
h = {}h['foo'] = 'bar'print h['foo']
# empty hash table# insert# lookup, prints 'bar'
valid Ruby/Python code(slightly) different syntax elsewhere
![Page 8: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/8.jpg)
Do you know how it works?
!?
![Page 9: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/9.jpg)
How it works (insertion)h['login'] = 'root'
0 1 2 3 4 5
hash('login') = 2
['login','root']
![Page 10: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/10.jpg)
How it works (insertion)h['pass'] = '0hn0z'
0 1 2 3 4 5
hash('pass') = 4
['login','root']
['pass','0hn0z']
![Page 11: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/11.jpg)
How it works (insertion)h['cmd'] = 'rm -rf /*'
0 1 2 3 4 5
hash('cmd') = 2
['login','root']
['pass','0hn0z']
['cmd','rm -rf /*']
![Page 12: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/12.jpg)
Complexity: best/average case
One element:insert O(1)→lookup O(1)→(delete) O(1) →
n elements:insert O(n)→lookup O(n)→(delete) O(n) →
aka “pretty damn fast”
![Page 13: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/13.jpg)
Complexity: worst case
n elements:insert O(n→ 2)lookup O(n→ 2)(delete) O(n→ 2)
aka “a tortoise is fast against it”
0
['EzEz','']
['EzFY','']
1 2 3 4 5
['FYEz','']
['FYFY','']?
![Page 14: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/14.jpg)
Complexity: worst case
n elements:insert O(n→ 2)lookup O(n→ 2)(delete) O(n→ 2)
aka “a tortoise is fast against it”
0
['EzEz','']
['EzFY','']
1 2 3 4 5
['FYEz','']
['FYFY','']
?
![Page 15: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/15.jpg)
Complexity: worst case
n elements:insert O(n→ 2)lookup O(n→ 2)(delete) O(n→ 2)
aka “a tortoise is fast against it”
0
['EzEz','']
['EzFY','']
1 2 3 4 5
['FYEz','']
['FYFY','']
?
![Page 16: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/16.jpg)
Complexity: worst case
n elements:insert O(n→ 2)lookup O(n→ 2)(delete) O(n→ 2)
aka “a tortoise is fast against it”
0
['EzEz','']
['EzFY','']
1 2 3 4 5
['FYEz','']
['FYFY','']
![Page 17: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/17.jpg)
The worst case in real life
200.000 multi-collisions à 10 bytesroughly 2 MB
40.000.000.000 string comparisonsOn a 1GHz machine, this is at least 40s
![Page 18: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/18.jpg)
Live demo, part II
![Page 19: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/19.jpg)
Hash functions: definition
● collision resistance?● one-way?● fixed output length?
![Page 20: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/20.jpg)
Hash functions: definition
● collision resistance?● one-way?● fixed output length?
![Page 21: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/21.jpg)
Hash functions: definition
● collision resistance?● one-way?● fixed output length?
![Page 22: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/22.jpg)
Hash functions: definition
● collision resistance?● one-way?● fixed output length?
![Page 23: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/23.jpg)
Do you know this guy?
![Page 24: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/24.jpg)
Dan “djb” Bernstein (at 27C3)
![Page 25: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/25.jpg)
DJBX33A
uint32_t hash(const char *arKey, uint32_t nKeyLength) {uint32_t hash = 5381;
for (; nKeyLength > 0; nKeyLength -=1) {hash = ((hash << 5) + hash) + *arKey++;
}return hash;
} hash × 33
times add
![Page 26: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/26.jpg)
java.lang.String.hashCode()
uint32_t hash(const char *arKey, uint32_t nKeyLength) {uint32_t hash = 5381;
for (; nKeyLength > 0; nKeyLength -=1) {hash = ((hash << 5) + hash) + *arKey++;
}return hash;
} hash × 33
![Page 27: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/27.jpg)
java.lang.String.hashCode()
uint32_t hash(const char *arKey, uint32_t nKeyLength) {uint32_t hash = 0;
for (; nKeyLength > 0; nKeyLength -=1) {hash = ((hash << 5) - hash) + *arKey++;
}return hash;
} hash × 31
![Page 28: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/28.jpg)
Equivalent substrings
h(s) = ∑ 31n-i · si
h('Ey') = 311 · 69 + 310 · 121 = 2260h('FZ') =311 · 70 + 310 · 90 = 2260
h('Eya') = 31 · (311 · 69 + 310 · 121) + 310 ·97 = 31 · (311 · 70 + 310 · 90) + 310 ·97 = h('FZa')
![Page 29: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/29.jpg)
Equivalent substrings
I. h('EzEz') (00)II. = h('EzFY') (01)III. = h('FYEz') (10)IV. = h('FYFY') (11)
⇒
![Page 30: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/30.jpg)
Equivalent substrings
I. h('tttt') (00)II. = h('ttuU') (01)III. = h('ttv6') (02)IV. = h('uUtt') (10)V. = h('uUuU') (11)VI. = h('uUv6') (12)VII. = h('v6tt') (20)VIII. = h('v6uU') (21)IX. = h('v6v6') (22)
h('tt') = h('uU') = h('v6')
![Page 31: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/31.jpg)
Generating 3n collisions
base3_strings = (0..3**n-1).each do |i|“%0nd” % i.to_s(3) # “0...0” to “2...2”
end
base3_strings.map do |s|s.gsub('0', 'tt') .gsub('1', 'uU') .gsub('2', 'v6')
end
![Page 32: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/32.jpg)
h : {0,1}* {0,1}→n
typically n = 32
Hash functions: definition
![Page 33: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/33.jpg)
Remember this guy?
![Page 34: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/34.jpg)
DJBX33X
uint32_t hash(const char *arKey, uint32_t nKeyLength) {uint32_t hash = 5381;
for (; nKeyLength > 0; nKeyLength -=1) {hash = ((hash << 5) + hash) ^ *arKey++;
}return hash;
} hash × 33
times XOR
![Page 35: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/35.jpg)
How To Attack This?
● Equivalent Substrings?● No – this function is nonlinear
● Bruteforce?● Yes but it takes several minutes per string
![Page 36: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/36.jpg)
Cost of brute-forcing
Hit one specific hash value: 231
attempts
Hit one in two specific hash values: 230
attempts
Hit one in four specific hash values: 229
attempts…
Hit one in 2n specific hash values: 2
31-n attempts
![Page 37: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/37.jpg)
(Let's) Meet In The Middle# Precomputation: filling the lookup tablerepeat 2**16 times do s := randomsuffix # 3 char string h := hashback(s,target) precomp[h] := send
![Page 38: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/38.jpg)
(Let's) Meet In The Middle# Finding preimagesloop do s := randomprefix # 7 char string h := hashforth(s) if h in precomp then print s + precomp[h] # 10 char preimage endend
![Page 39: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/39.jpg)
(Let's) Meet In The Middle000cc3f7 : 'RMh'000cc3f7 : 'Slh'00a07ae0 : 'Aon' …3b847a29 : 'Upl'3b847a2a : 'vpl'3b847a2a : 'wQl' …99976963 : 'CUu'99976964 : 'dUu'99976964 : 'etu'
h(x) 0'QCMWaIO'
![Page 40: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/40.jpg)
DJBX33X
uint32_t hash(const char *arKey, uint32_t nKeyLength) {uint32_t hash = 5381;
for (; nKeyLength > 0; nKeyLength -=1) {hash = ((hash << 5) + hash) ^ *arKey++;
}return hash;
} hash × 33
times XOR
![Page 41: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/41.jpg)
Stand back,I am going to use math!
![Page 42: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/42.jpg)
XOR
A B B = A
![Page 43: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/43.jpg)
Multiplication
33 · 1041204193 = 1false!
![Page 44: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/44.jpg)
Multiplication
33 · 1041204193 ≡ 1 (mod 232 )
true in the ring of integers modulus 232
aka 32 bit integers
![Page 45: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/45.jpg)
DJBX33X done backwards
uint32_t hash(char *suffix, uint32_t length, uint32_t end) {uint32_t hash = end;
for (; length > 0; length -=1) {hash = (hash ^ suffix[length – 1]) * 1041204193 ;
}return hash;
}
times XOR
![Page 46: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/46.jpg)
Attacks
![Page 47: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/47.jpg)
Web application technologiesPHP
ASP.NET
Java
ColdFusion
Perl
Ruby
Python
JavaScript
77.3 %
21.7%
4 %
1.2 %
1 %
0.6 %
0.2 %
< 0.1 %Source: W3Techs.com, 10 December 2011
![Page 48: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/48.jpg)
POST data in web applications
<?php echo $_POST["param"]; ?>
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
out.println(request.getParameter('param'));
}
Response.Write Request.Form['param']
![Page 49: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/49.jpg)
PHPPHP 5: DJBX33A, 32 bit equivalent substrings→
PHP 4: DJBX33X, 32 and 64 bit meet in the middle→
default post_max_size: 8 MB
default max_input_time: -1 (unlimited/max_execution_time)
on most distributions: 60 (seconds)
theoretically: 8 MB of POST 288 minutes of CPU time→
realistically: 500k of POST 1 minute or 300k 30 secs→ →
![Page 50: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/50.jpg)
PHP: (realistic) efficiency
~70-100kbits/s keep one i7 core busy→
![Page 51: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/51.jpg)
PHP: (realistic) effectiveness
1 Gbit/s keep ~10.000 i7 cores busy→
![Page 52: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/52.jpg)
PHP: disclosure statedisclosed November 1st via oCERTrequest for update on November 24th:
“We are looking into it. Changing the core hash function in PHP isn't a trivial change and will take us some time.”
– Rasmus Lerdorf
![Page 53: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/53.jpg)
PHP: disclosure stateDecember 15th:http://svn.php.net/viewvc?view=revision&revision=321040
Log:Added max_input_vars directive to prevent attacks based on hash collisions
[…]
+- the following new directives were added++ - max_input_vars - specifies how many GET/POST/COOKIE input variables may be+ accepted. default value 1000.+
![Page 54: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/54.jpg)
ASP.NETRequest.Form is a
NameValueCollection object
uses CaseInsensitiveHashCode
Provider.getHashCode()
DJBX33X meet-in-the-middle→
4 MB 650 minutes of CPU time→
IIS limits to 90 seconds typically
![Page 55: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/55.jpg)
ASP.NET: efficiency
~30 kbits/s keep one Core2 core busy→
![Page 56: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/56.jpg)
ASP.NET: effectiveness
1 Gbit/s keep ~30k Core2 cores busy→1 dot ≈ 3 CPU cores
![Page 57: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/57.jpg)
ASP.NET: disclosure state
disclosed November 29th via CERTMSRC case number 12038
Working on a workaround patch (limiting number of parameters), randomizing hash function later
Advisory soon at http://technet.microsoft.com/en-us/security/advisory/2659883
![Page 58: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/58.jpg)
Java
String.hashCode(), documented as h(s) = ∑ 31n-i · si
very similar to DJBX33A equivalent substrings→
alternatively, meet in the middle for more collisions
hash result is cached, but only if hash ≠ 0
![Page 59: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/59.jpg)
Java – Web Application Servers● Apache Tomcat● Apache Geronimo● Jetty● Oracle Glassfish● …
All tested ones use either Hashtable or HashMap to store POST data
Tomcat: 2 MB 44 minutes of CPU time→
![Page 60: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/60.jpg)
Java (Tomcat): efficiency
~6 kbits/s keep one i7 core busy→
![Page 61: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/61.jpg)
Java (Tomcat): effectiveness
1 Gbit/s keep ~10→ 5 i7 cores busy1 dot ≈ 10 CPU cores
![Page 62: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/62.jpg)
Java: disclosure state
disclosed November 1st via oCERTTomcat: workaround in r1189899 (CVE-2011-4084)Glassfish: will be fixed in a future CPU (S0104869)
“As for Java itself, it does not seem like there is anything that would require a change in Java hashmap implementation.”
– Chandan, Oracle Security Alerts
![Page 63: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/63.jpg)
Python
hash function very similar to DJBX33X
works on register-size different for 32 and 64 bits→
broken using a meet-in-the-middle attack
reasonable-sized attack strings only for 32 bits
Plone has max. POST size of 1 MB
7 minutes of CPU usage for a 1 MB request
![Page 64: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/64.jpg)
Python (Plone): efficiency
~20 kbits/s keep one Core Duo core busy→
![Page 65: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/65.jpg)
Python (Plone) effectiveness
1 Gbit/s keep ~5→ ·104 Core Duo cores busy1 dot ≈ 5 CPU cores
![Page 66: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/66.jpg)
Python: disclosure state
disclosed November 1st via oCERTrequest for update on November 24th
“Apologies; this message got held in our moderation queue until just now. Because of the USA Thanksgiving holiday, it may be a few days before you get a response to this report.”
– Barry Warsaw, Python
![Page 67: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/67.jpg)
Ruby
Already fixed in 2008 in CRuby 1.9
CRuby 1.8: similar to DJBX33A
But: multiplication constant 65599 prevents small
equivalent substrings meet in the middle attack→
Different, but vulnerable functions in JRuby and Rubinius (for both 1.8 and 1.9)
typical max. POST size limit of 2 MB 6hs of CPU→
![Page 68: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/68.jpg)
CRuby 1.8 (Rack): efficiency
~720 bits/s keep one i7 core busy→
![Page 69: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/69.jpg)
CRuby 1.8 (Rack) effectiveness
1 Gbit/s keep ~10→ 6 i7 cores busy1 dot ≈ 100 CPU cores
![Page 70: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/70.jpg)
Ruby: disclosure state
disclosed November 1st via oCERTRuby Security Team very helpful!New versions of CRuby and JRuby released →new, randomized hash function, CVE-2011-4815New version of Rack middleware
![Page 71: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/71.jpg)
v8/node.jsJavascript implementation by Google
while (len--) {
hash += *p++;
hash += (hash << 10);
hash ^= (hash >> 6);
}
Different than most other stuff, but vulnerable to meet-in-the-middle, too.
node.js: querystring module to parse POST into hashtable
![Page 72: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/72.jpg)
v8: disclosure state
disclosed October 18th via oCERTGoogle Security ticket #892388802
Privately contacted Google Security Team member on November 7th ticket forwarded →to Chrome/v8 developers
![Page 73: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/73.jpg)
Web application security
Just a POST request …
Can be generated on the fly using HTML and JavaScript
next XSS lots of DDoS participants→
![Page 74: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/74.jpg)
Hash tables everywhere
Parsing code
Hash tables in your shell (bash):declare -A hash
hash[foo]=”bar”
echo ${hash[foo]}
![Page 75: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/75.jpg)
Live demo, part IV
(we'll skip this and hope you believe us it is still running :-))
![Page 76: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/76.jpg)
How to fix it
Use a randomized hash function!
CRuby 1.9 and Perl already do
![Page 77: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/77.jpg)
+ * The "hash seed" feature was added in Perl 5.8.1 to perturb the results+ * to avoid "algorithmic complexity attacks". */+#if defined(USE_HASH_SEED) || defined(USE_HASH_SEED_EXPLICIT)+# define PERL_HASH_SEED PL_hash_seed+#else+# define PERL_HASH_SEED 0+#endif #define PERL_HASH(hash,str,len) \ STMT_START { \ register const char *s_PeRlHaSh_tmp = str; \ register const unsigned char *s_PeRlHaSh = (const unsigned char *)s_PeRlHaSh_tmp; \ register I32 i_PeRlHaSh = len; \- register U32 hash_PeRlHaSh = 0; \+ register U32 hash_PeRlHaSh = PERL_HASH_SEED; \ while (i_PeRlHaSh--) { \ hash_PeRlHaSh += *s_PeRlHaSh++; \ hash_PeRlHaSh += (hash_PeRlHaSh << 10); \diff --git a/intrpvar.h b/intrpvar.h
![Page 78: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/78.jpg)
WorkaroundsReduce maximal POST size
Typically supported everywhere (but not node.js?)
Reduce maximal parameters allowed
Tomcat, Suhosin: suhosin.{post|request}.max_vars
CPU limits
PHP: reduce max_input_time
IIS for ASP.NET: shutdown time limit for processes
Typically not available on Java Web Application Servers
![Page 79: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/79.jpg)
Future Work
![Page 80: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/80.jpg)
Linux Kernel
grep -r hashtable linux-3.1.5/
(282 hits)
![Page 81: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/81.jpg)
JSON, YAML, … (AJAX)
What will be put in an hash table?
![Page 82: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/82.jpg)
Other Stuff
● Erlang
● Objective C
● Lua
● GNU ELF binary symbol tables
● Facebook (hiphop-php)
![Page 83: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/83.jpg)
Take Home Messages
![Page 84: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/84.jpg)
Take home: Language Developers
Fix this – soon!
Randomize your hash functions!
![Page 85: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/85.jpg)
Take home: Application developers
Think about whether attacker controlled data ends up in a hash table!
Use different datastructures such as treemaps, etc.
![Page 86: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/86.jpg)
Take home: Penetration testers
Think about whether attacker controlled data ends up in a hash table!
Try to identify used hash functions by hashing the empty string or short strings
![Page 87: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/87.jpg)
Take home:Anonymous
![Page 88: Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander](https://reader035.vdocuments.net/reader035/viewer/2022062921/5f0515297e708231d4112cbf/html5/thumbnails/88.jpg)
Thank You!
Andrea Barisani of oCERT for lots of coordinating work
CERT for coordinating
Perl for fixing this in 2003
Scott A. Crosby & Dan S. Wallach for the original paper
The Ruby Security Team for taking this seriously and working with us on a fix