Post on 11-Jan-2016
Layer-7 DoS
Hash Collisions
Provide cyber fraud protection to websites
Prevent business logic attacks on web applications
Heuristic web user behavior analysis
Signature-free 0-day attack detection
About Hybrid Security
Layer-7 DoS
• Slowloris: Written by RSnake, exploits slow HTTP headers
• R.U.Dead.Yet: Written by Raviv Raz, exploits slow POST fields
• Keep-Dead: Written by Esrun,exploits long Keep-Alive sessions
Hash DoS
• HashDoS – Advisory published by Julian Wäld & Alexander Klink, Dec. 28, 2011
• Vulnerability in ASP.NET (MS11-100)
• Vulnerability in PHP 4 and 5
• Also vulnerable:Java, Tomcat, Python, Ruby, Oracle
Hash TablesHash Key
login=root passwd=123
Insert, search, delete node
with O(n) complexity
Hash CollisionsHash Key
EzEz=123
EzFY=123
FYEz=123
When h(Ez) = h(FY)…
Insert, search, delete node
become O(n²) complexity
DJBX33A Hashing• Daniel J. Bernsetin, 33 additions• Used in 32 bit PHP 5, Java Tomcat• Similar function used in Ruby
Hashing With the Pigeons
Strings
Hashes
• Apparently, a non-injective function
• More commonly known as the pigeonhole principle
DJBX33X Hashing
• Daniel J. Bernsetin, 33 XORs• Used in 32/64 bit PHP 4 & ASP.NET• Similar function used in Python
Linear Collision Generation
h('Ey') = 31¹ · 69 + 31° · 121 = 2260
h('FZ') = 31¹ · 70 + 31° · 90 = 2260
h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97
= 31 · (31¹ · 70 + 31° · 90) + 31°·97
= h('FZa')
DEMODEMO
Using Binary Permutations
h('EzEz') (00)
= h('EzFY') (01)
= h('FYEz') (10)
= h('FYFY') (11)
Pre-computing rainbow tables
• Calculate long permutations of colliding char pairs• Create many same-hash field names for POST• More advanced Meet-In-The-Middle techniques
improve rainbow table creation exponentially
PHP 5
• DJBX33X• 1 Gbit speed keeps
~ 10,000 i7 core CPU busy• POST limited by 8 MB• POST limited by max_input_time
(default on Ubuntu/BSD = 60 seconds)
<?
php echo $_POST["param"];
?>
• DJBX33X• Breakable using
Meet-In-The-Middle• 30 kbits/sec keeps
1 core-2 CPU busy• With 1 Gbit keeps
~ 30,000 core-2 CPU busy
<%
Response.Write Request.Form['param'];
%>
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=&
EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&…
PoC already in the wildPoC already in the wild
Thank YouThank You
raviv@hybridsec.comhttp://www.hybridsec.com