Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and...
Transcript of Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and...
![Page 1: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/1.jpg)
Hash-flooding DoS reloaded: attacks and defenses
Jean-Philippe Aumasson, Kudelski Group
Daniel J. Bernstein, University of Illinois at Chicago
Martin Boßlet, freelancer
![Page 2: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/2.jpg)
Hash-flooding DoS reloaded: attacks and defenses
Jean-Philippe Aumasson, Kudelski Group
Daniel J. Bernstein, University of Illinois at Chicago
Martin Boßlet, freelancer
![Page 3: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/3.jpg)
Jean-Philippe Cryptography expert at the Kudelski Group
Applied crypto researcher
https://131002.net @aumasson
Martin Independent SW engineer and security expert
Ruby core dev team member
http://www.martinbosslet.de @_emboss_
![Page 4: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/4.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 5: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/5.jpg)
Denial-of-Service (DoS) attacks
“Attempt to make a machine or network resource unavailable to its intended users.” Wikipedia
![Page 6: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/6.jpg)
Popular DoS techniques are distributed HTTP or TCP SYN flood… (DDoS)
![Page 7: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/7.jpg)
More subtle techniques exploit properties of TCP-congestion-avoidance algorithms…
![Page 8: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/8.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 9: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/9.jpg)
Hash tables used in many applications to maintain an association between objects
Example: Python dictionaries d={} # empty table
d[12345]=0xc # insertion
d[‘astring’]=‘foo’ # insertion
d[(‘a’,‘tuple’)]=0 # insertion
print d[‘a string’] # lookup
![Page 10: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/10.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
![Page 11: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/11.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
d[12345]=0xc, hash(12345)=1
0 1 2
12345: 0xc
![Page 12: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/12.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
d[‘astring’]=‘foo’ , hash(‘astring’)=0
0 1 2
12345: 0xc ‘astring’: ‘foo’
![Page 13: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/13.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
0 1 2
12345: 0xc ‘astring’: ‘foo’ (‘a’,’tuple’): 0
![Page 14: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/14.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n2) operations in the worst case
d[12345]=0xc, hash(12345)=1
0 1 2
12345: 0xc
![Page 15: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/15.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n2) operations in the worst case
d[‘astring’]=‘foo’ , hash(‘astring’)=0
0 1 2
12345: 0xc
‘astring’: ‘foo’
![Page 16: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/16.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n2) operations in the worst case
d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
0 1 2
12345: 0xc
‘astring’: ‘foo’
(‘a’, ‘tuple’): ‘foo’
![Page 17: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/17.jpg)
Hash flooding: Send to a server many inputs with a same hash (a multicollision) so as to
enforce worst-case insert time
![Page 18: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/18.jpg)
send 2MB of POST data consisting of 200.000 colliding 10B strings
≈ 40.000.000.000 string comparisons (at least 10s on a 2GHz machine…)
![Page 19: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/19.jpg)
Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003
-> attack formalized and applied to Perl, Squid, etc.
Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3
-> application to PHP, Java, Python, Ruby, etc.
![Page 20: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/20.jpg)
Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003
-> attack formalized and applied to Perl, Squid, etc.
Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3
-> application to PHP, Java, Python, Ruby, etc.
![Page 21: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/21.jpg)
![Page 22: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/22.jpg)
Patches released consisting of a stronger hash with randomization (to make colliding values impossible to find)
![Page 23: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/23.jpg)
MurmurHash2
“used in code by Google, Microsoft,
Yahoo, and many others” http://code.google.com/p/smhasher/wiki/MurmurHash
CRuby, JRuby
![Page 24: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/24.jpg)
MurmurHash3
“successor to MurmurHash2”
Oracle’s Java SE, Rubinius
![Page 25: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/25.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 26: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/26.jpg)
1. Theory
![Page 27: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/27.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
MurmurHash3 core
Processes the input per blocks of 4 bytes
![Page 28: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/28.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
![Page 29: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/29.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=0
inject difference D1
diff in k1:0x00040000
![Page 30: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/30.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=0
inject difference D1
diff in k1:0x00040000
diff in h1 0x00040000
![Page 31: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/31.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=0
inject difference D1
diff in k1:0x00040000
diff in h1 0x00040000
0x80000000
0x80000000
![Page 32: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/32.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=1
inject difference D2
![Page 33: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/33.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=1
inject difference D2
diff in k1:0x80000000
![Page 34: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/34.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=1
inject difference D2
diff in k1:0x80000000
diff in h1: 0x80000000 ^ 0x80000000 = 0
COLLISION!
![Page 35: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/35.jpg)
2 colliding 8-byte inputs
32-bit
32-bit
M1
h1=X
M2
h1=f(X)=H
32-bit
32-bit
M1^D1
h1=X^D3
M2^D2
h1=f(X^D3^D3)=H
![Page 36: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/36.jpg)
Chain collisions => multicollisions
8n bytes => 2n colliding inputs
M1 M2
collision
M3 M4
collision
M5 M6
collision
![Page 37: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/37.jpg)
h1=seed;
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
// transform of k1 independent of the seed!
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
A multicollision works for any seed
=> “Universal” multicollisions
![Page 38: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/38.jpg)
Even simpler for MurmurHash2
![Page 39: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/39.jpg)
Consequence:
Systems using MurmurHash2/3 remain vulnerable to hash-flooding
![Page 40: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/40.jpg)
Other hash attacked
![Page 41: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/41.jpg)
Even weaker than MurmurHash2… Also vulnerable to hash flooding
![Page 42: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/42.jpg)
CityHash64( BU9[85WWp/ HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 8{YDLn;d.2 HASH!, 16 ) = b82e7612e6933d2f
CityHash64( d+nkK&t?yr HASH!, 16 ) = b82e7612e6933d2f
CityHash64( {A.#v5i]V{ HASH!, 16 ) = b82e7612e6933d2f
CityHash64( FBC=/\hJeA!HASH!, 16 ) = b82e7612e6933d2f
CityHash64( $03$=K1.-H!HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 3o'L'Piw\\!HASH!, 16 ) = b82e7612e6933d2f
CityHash64( duDu%qaUS@"HASH!, 16 ) = b82e7612e6933d2f
CityHash64( IZVo|0S=BX"HASH!, 16 ) = b82e7612e6933d2f
CityHash64( X2V|P=<u,=#HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 9<%45yG]qG#HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 6?4O:'<Vho#HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 2u 2}7g^>3$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( kqwnZH=cKG$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( Nl+:rtvw}K$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( s/pI!<5u*]$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( f|P~n*<xPc$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( Cj7TCG|G}}$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( a4$>Jf3PF'%HASH!, 16 ) = b82e7612e6933d2f
![Page 43: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/43.jpg)
2. Practice
![Page 44: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/44.jpg)
Breaking Murmur:
We‘ve got the recipe –
Now all we need is the (hash) cake
![Page 45: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/45.jpg)
Where are hashes used?
![Page 46: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/46.jpg)
Internally vs. Externally
![Page 47: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/47.jpg)
Parser symbol tables Method lookup tables
Attributes / Instance variables IP Addresses
Transaction IDs Database Indexing
Session IDs HTTP Headers
JSON Representation URL-encoded POST form data
Deduplication (HashSet) A* search algorithm
Dictionaries …
![Page 48: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/48.jpg)
=> Where aren’t they used?
![Page 49: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/49.jpg)
Can’t we use something different?
![Page 50: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/50.jpg)
We could,
but amortized constant time is just too sexy
![Page 51: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/51.jpg)
Possible real-life attacks
![Page 52: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/52.jpg)
Attack internal use?
![Page 53: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/53.jpg)
Elegant, but low impact
![Page 54: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/54.jpg)
Need a high-profile target
![Page 55: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/55.jpg)
Web Application
![Page 56: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/56.jpg)
Example #1
Rails
![Page 57: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/57.jpg)
First:
Attacking MurmurHash in Ruby
![Page 58: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/58.jpg)
Straight-forward with a few quirks
![Page 59: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/59.jpg)
Apply the recipe
![Page 60: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/60.jpg)
Demo
![Page 61: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/61.jpg)
Should work with Rails
out of the box, no?
![Page 62: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/62.jpg)
Unfortunately, no
![Page 63: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/63.jpg)
Demo
![Page 64: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/64.jpg)
def POST … @env["rack.request.form_hash"] = parse_query(form_vars) … end
![Page 65: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/65.jpg)
def parse_query(qs) Utils.parse_nested_query(qs) end
![Page 66: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/66.jpg)
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
![Page 67: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/67.jpg)
def unescape(s, encoding = Encoding::UTF_8) URI.decode_www_form_component(s, encoding) end
![Page 68: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/68.jpg)
def self.decode_www_form_component(str, enc=Encoding::UTF_8) raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc) end
![Page 69: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/69.jpg)
/\A[^%]*(?:%\h\h[^%]*)*\z/
???
![Page 70: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/70.jpg)
Catches invalid % encodings
(e.g. %ZV, %%1 instead of %2F)
![Page 71: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/71.jpg)
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
![Page 72: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/72.jpg)
def normalize_params(params, name, v = nil) name =~ %r(\A[\[\]]*([^\[\]]+)\]*) k = $1 || '' … end
![Page 73: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/73.jpg)
%r(\A[\[\]]*([^\[\]]+)\]*)
???
![Page 74: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/74.jpg)
helps transform [[]] to []
![Page 75: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/75.jpg)
idea:
pre-generate matching values
![Page 76: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/76.jpg)
create random values
passing the regular expressions
![Page 77: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/77.jpg)
that should do it, right?
![Page 78: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/78.jpg)
Demo
![Page 79: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/79.jpg)
![Page 80: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/80.jpg)
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
![Page 81: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/81.jpg)
class KeySpaceConstrainedParams def []=(key, value) @size += key.size if key && [email protected]?(key) raise RangeError, 'exceeded available parameter key space‘ if @size > @limit @params[key] = value end end
![Page 82: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/82.jpg)
![Page 83: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/83.jpg)
What now? Rails is safe?
![Page 84: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/84.jpg)
Remember:
Hashes are used everywhere
![Page 85: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/85.jpg)
So if
application/x-www-form-urlencoded
doesn't work, how about
application/json
?
![Page 86: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/86.jpg)
Again, with the encoding...
![Page 87: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/87.jpg)
Fast-forward...
![Page 88: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/88.jpg)
Demo
![Page 89: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/89.jpg)
Conclusion
Patchwork is not helping
![Page 90: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/90.jpg)
too many places
![Page 91: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/91.jpg)
code bloat
![Page 92: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/92.jpg)
yet another loophole will be found
![Page 93: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/93.jpg)
Fix it
at the
root
![Page 94: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/94.jpg)
Example #2
Java
![Page 95: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/95.jpg)
String(byte[] bytes)
![Page 96: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/96.jpg)
public String(byte bytes[], int offset, int length, Charset charset) { … char[] v = StringCoding.decode(charset, bytes, offset, length); … }
![Page 97: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/97.jpg)
Tough nut to crack
![Page 98: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/98.jpg)
What now? Java is safe?
![Page 99: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/99.jpg)
String(char[] value)
![Page 100: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/100.jpg)
public String(char value[]) { int size = value.length; this.offset = 0; this.count = size; this.value = Arrays.copyOf(value, size); }
![Page 101: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/101.jpg)
No decoding!
![Page 102: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/102.jpg)
Substitute byte[] operations
with equivalent operations
on char[]
![Page 103: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/103.jpg)
Demo
![Page 104: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/104.jpg)
Disclosure Oracle (Java): Sep 11
CRuby, JRuby, Rubinius: Aug 30
![Page 105: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/105.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 106: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/106.jpg)
SipHash: a fast short-input PRF
New crypto algorithm to fix hash-flooding:
• Rigorous security requirements and analysis
• Speed competitive with that of weak hashes
Peer-reviewed research paper (A., Bernstein). published at DIAC 2012, INDOCRYPT 2012
![Page 107: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/107.jpg)
SipHash initialization
256-bit state v0 v1 v2 v3
128-bit key k0 k1
v0 = k0 ⊕ 736f6d6570736575
v1 = k1 ⊕ 646f72616e646f6d
v2 = k0 ⊕ 6c7967656e657261
v3 = k1 ⊕ 7465646279746573
![Page 108: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/108.jpg)
SipHash initialization
256-bit state v0 v1 v2 v3
128-bit key k0 k1
v0 = k0 ⊕ “somepseu”
v1 = k1 ⊕ “dorandom”
v2 = k0 ⊕ “lygenera”
v3 = k1 ⊕ “tedbytes”
![Page 109: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/109.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
v3 ⊕= m0
c iterations of SipRound
v0 ⊕= m0
![Page 110: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/110.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
v3 ⊕= m1
c iterations of SipRound
v0 ⊕= m1
![Page 111: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/111.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
v3 ⊕= m2
c iterations of SipRound
v0 ⊕= m2
![Page 112: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/112.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
Etc.
![Page 113: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/113.jpg)
SipRound
![Page 114: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/114.jpg)
SipHash finalization
v2 ⊕= 255
d iterations of SipRound
Return v0 ⊕ v1 ⊕ v2 ⊕ v3
![Page 115: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/115.jpg)
SipHash-2-4 hashing 15 bytes
![Page 116: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/116.jpg)
Family SipHash-c-d
Fast proposal: SipHash-2-4
Conservative proposal: SipHash-4-8
Weaker versions for cryptanalysis:
SipHash-1-0, SipHash-2-0, etc.
SipHash-1-1, SipHash-2-1, etc.
Etc.
![Page 117: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/117.jpg)
![Page 118: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/118.jpg)
Proof of simplicity
June 20: paper published online
June 28: 18 third-party implementations
C (Floodyberry, Boßlet, Neves); C# (Haynes) Cryptol (Lazar); Erlang, Javascript, PHP (Denis) Go (Chestnykh); Haskell (Hanquez) Java, Ruby (Boßlet); Lisp (Brown); Perl6 (Julin)
![Page 119: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/119.jpg)
Who is using SipHash?
http://www.opendns.com/ http://www.rust-lang.org/
Soon?
![Page 120: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/120.jpg)
Take home message
• DoS is doable with only small data/bandwidth
• Java- and Ruby-based web applications vulnerable to DoS (and maybe others…)
• SipHash offers both security and performance
Contact us if you need to check your application
![Page 121: Hash-flooding DoS reloaded: attacks and defenses · Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois](https://reader031.fdocuments.us/reader031/viewer/2022021808/5be70d5009d3f247448e0578/html5/thumbnails/121.jpg)
Hash-flooding DoS reloaded: attacks and defenses
THANK YOU!