Universal
HTTP
Denial-of-Service
About Hybrid
• Creating web-business-logic security
• Doing cool stuff in AI research
• Optimizing acceptance rate for Web-bound
transactions
• Minimizing false rejects typical to signature-based
solutions
How Would You Like Your Website?
Slow or DEAD?
•
•
•
•
•
Slowloris abuses handling of
HTTP request headers ssslooowly…
Written by RSnake
Iteratively injects one custom header at a
time and goes to sleep
Web server vainly awaits the
line space that will never come 
Stuck in phase I forever. Kinda like Tron
•
•
•
•
R-U-Dead-Yet? abuses HTTP
web form fields
Iteratively injects one custom byte
into a web application post field
and goes to sleep
Application threads become
zombies awaiting ends of posts
till death lurks upon the website
Stuck in phase II forever.
Kinda like Tron sequels
SlowLoris
According to HTTP RFC 2616:
Request
= Request-Line
*(( general-header
| request-header
| entity-header ) CRLF)
CRLF
[ message-body ]
SlowLoris
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b
SlowLoris
DEMO
SlowLoris Mitigation
Patching Apache
• Use Apache Patch
to moderate average timeout thresholds
(Link at end of presentation)
According to SpiderLabs:
• ModSecurity >=2.5.13
• Add directive: “SecReadStateLimit 5”
• Then ModSecurity Alerts like this:
“ [Mon Nov 22 17:44:46 2010] [warn]
ModSecurity: Access denied with code 400.
Too many connections [6] of 5 allowed in READ
state from 211.144.112.20 Possible DoS Consumption Attack [Rejected] ”
R-U-D-Y
Vulnerability
POST
http://victim.com/
discovered by Tom Brennan
Host:Wong
and
victim.com
Onn Chee:
Connection:
keep-alive
http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
username=AAAAAAAAAAAAAAAAAAAAAAAAA…
R-U-D-Y
DEMO
Waging War Upon SCADA
Waging War Upon SCADA
• Stuxnet operated from within Iran’s nuclear
facilities to tamper with uranium-enrichment
centrifuges
• R-U-D-Y integrated with SHODAN’s API
could allow automatic location and
disruption of Web-facing SCADA controllers
from any anonymous location on Earth
R-U-D-Y Mitigation
• Add directive: “RequestReadTimeout body=30”
• Add a rule:
SecRule RESPONSE_STATUS "@streq 408“ \
"phase:5,t:none,nolog,pass, \
setvar:ip.slow_dos_counter=+1,expirevar:ip. \
slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5“ \
"phase:1,t:none,log,drop, \
msg:'Client Connection Dropped due to high \
# of slow DoS alerts'"
Other (potential?) Attack Vectors
• Complex structures such as: SOAP, JSON, REST
• Encapsulated protocols such as: SIP, AJAX binary
streams
Future
Research
• Use a protocol fuzzer such as
PEACH or SPIKE to explore the entropy of
HTTP RFC-compliant input
• Use nested and/or broken data structures to
detect server-side zombie behavior
If we knew what it was we were doing,
it would not be called research, would it?
(Albert Einstein)
Reference
• SlowLoris:
http://ha.ckers.org/slowloris/
• Anti-SlowLoris Patch:
http://synflood.at/tmp/anti-slowloris.diff
• Mitigation with ModSecurity:
http://blog.spiderlabs.com/2010/11/advancedtopic-of-the-week-mitigating-slow-http-dosattacks.html
• R.U.D.Y:
http://hybridsec.com/tools/rudy/
• Chapters In Web Security:
http://chaptersinwebsecurity.blogspot.com
Thank You
raviv@hybridsec.com