Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Literature
  3. English Literature

``Hash Collision DoS`` Presentation

advertisement 
Layer-7 DoS
Hash Collisions
About Hybrid Security
Provide cyber fraud protection to websites
Prevent business logic attacks on web applications
Heuristic web user behavior analysis
Signature-free 0-day attack detection
Layer-7 DoS
• Slowloris:
• R.U.Dead.Yet:
• Keep-Dead:
Written by RSnake,
exploits slow HTTP headers
Written by Raviv Raz,
exploits slow POST fields
Written by Esrun,
exploits long Keep-Alive
sessions
Hash DoS
• HashDoS – Advisory published by Julian Wäld
& Alexander Klink, Dec. 28, 2011
• Vulnerability in ASP.NET (MS11-100)
• Vulnerability in PHP 4 and 5
• Also vulnerable:
Java, Tomcat, Python, Ruby, Oracle
Hash Tables
Hash Key
login=root
Insert, search, delete node
with O(n) complexity
passwd=123
Hash Collisions
Hash Key
When h(Ez) = h(FY)…
Insert, search, delete node
become O(n²) complexity
EzEz=123
EzFY=123
FYEz=123
DJBX33A Hashing
• Daniel J. Bernsetin, 33 additions
• Used in 32 bit PHP 5, Java Tomcat
• Similar function used in Ruby
Hashing With the Pigeons
• Apparently, a non-injective function
• More commonly known as
the pigeonhole principle
Strings
Hashes
DJBX33X Hashing
• Daniel J. Bernsetin, 33 XORs
• Used in 32/64 bit PHP 4 & ASP.NET
• Similar function used in Python
Linear Collision Generation
h('Ey') = 31¹ · 69 + 31° · 121 = 2260
h('FZ') = 31¹ · 70 + 31° · 90 = 2260
h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97
= 31 · (31¹ · 70 + 31° · 90) + 31°·97
= h('FZa')
DEMO
Using Binary Permutations
h('EzEz')  (00)
= h('EzFY')  (01)
= h('FYEz')  (10)
= h('FYFY')  (11)
Pre-computing rainbow tables
• Calculate long permutations of colliding char pairs
• Create many same-hash field names for POST
• More advanced Meet-In-The-Middle techniques
improve rainbow table creation exponentially
PHP 5
• DJBX33X
• 1 Gbit speed keeps
~ 10,000 i7 core CPU busy
• POST limited by 8 MB
• POST limited by max_input_time
(default on Ubuntu/BSD = 60 seconds)
<?
php echo $_POST["param"];
?>
•
•
•
•
DJBX33X
Breakable using
Meet-In-The-Middle
30 kbits/sec keeps
1 core-2 CPU busy
With 1 Gbit keeps
~ 30,000 core-2 CPU busy
<%
Response.Write Request.Form['param'];
%>
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=&
EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&…
PoC already in the wild
Thank You
raviv@hybridsec.com
http://www.hybridsec.com
Related documents
HashQuiz
HashQuiz
Mash
Mash
Self-evaluation 21-5-2013
Self-evaluation 21-5-2013
Hash table
Hash table
Cryptography Homework #7: Hash function Search
Cryptography Homework #7: Hash function Search
Chapter 6 Hashing
Chapter 6 Hashing
Document10949031 10949031
Document10949031 10949031
Final Exam Review
Final Exam Review
Hash Functions
Hash Functions
Robust Hashing for Image Authentication Using Zernike Moments
Robust Hashing for Image Authentication Using Zernike Moments
Name____________________________ Period_______ Compare
Name____________________________ Period_______ Compare
CS 2430 Day 3
CS 2430 Day 3
Download
advertisement