Layer-7 DoS Hash Collisions About Hybrid Security Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior analysis Signature-free 0-day attack detection Layer-7 DoS • Slowloris: • R.U.Dead.Yet: • Keep-Dead: Written by RSnake, exploits slow HTTP headers Written by Raviv Raz, exploits slow POST fields Written by Esrun, exploits long Keep-Alive sessions Hash DoS • HashDoS – Advisory published by Julian Wäld & Alexander Klink, Dec. 28, 2011 • Vulnerability in ASP.NET (MS11-100) • Vulnerability in PHP 4 and 5 • Also vulnerable: Java, Tomcat, Python, Ruby, Oracle Hash Tables Hash Key login=root Insert, search, delete node with O(n) complexity passwd=123 Hash Collisions Hash Key When h(Ez) = h(FY)… Insert, search, delete node become O(n²) complexity EzEz=123 EzFY=123 FYEz=123 DJBX33A Hashing • Daniel J. Bernsetin, 33 additions • Used in 32 bit PHP 5, Java Tomcat • Similar function used in Ruby Hashing With the Pigeons • Apparently, a non-injective function • More commonly known as the pigeonhole principle Strings Hashes DJBX33X Hashing • Daniel J. Bernsetin, 33 XORs • Used in 32/64 bit PHP 4 & ASP.NET • Similar function used in Python Linear Collision Generation h('Ey') = 31¹ · 69 + 31° · 121 = 2260 h('FZ') = 31¹ · 70 + 31° · 90 = 2260 h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97 = 31 · (31¹ · 70 + 31° · 90) + 31°·97 = h('FZa') DEMO Using Binary Permutations h('EzEz') (00) = h('EzFY') (01) = h('FYEz') (10) = h('FYFY') (11) Pre-computing rainbow tables • Calculate long permutations of colliding char pairs • Create many same-hash field names for POST • More advanced Meet-In-The-Middle techniques improve rainbow table creation exponentially PHP 5 • DJBX33X • 1 Gbit speed keeps ~ 10,000 i7 core CPU busy • POST limited by 8 MB • POST limited by max_input_time (default on Ubuntu/BSD = 60 seconds) <? php echo $_POST["param"]; ?> • • • • DJBX33X Breakable using Meet-In-The-Middle 30 kbits/sec keeps 1 core-2 CPU busy With 1 Gbit keeps ~ 30,000 core-2 CPU busy <% Response.Write Request.Form['param']; %> POST http://victim.com/ Host: victim.com Connection: keep-alive Content-Length: 1000000 User-Agent: Mozilla/5.0 Cookie: __utmz=181569312.1294666144.1.1 EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=& EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&… PoC already in the wild Thank You raviv@hybridsec.com http://www.hybridsec.com