Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic...
-
Upload
godfrey-walters -
Category
Documents
-
view
217 -
download
1
Transcript of Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic...
![Page 1: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/1.jpg)
Layer-7 DoS
Hash Collisions
![Page 2: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/2.jpg)
Provide cyber fraud protection to websites
Prevent business logic attacks on web applications
Heuristic web user behavior analysis
Signature-free 0-day attack detection
About Hybrid Security
![Page 3: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/3.jpg)
Layer-7 DoS
• Slowloris: Written by RSnake, exploits slow HTTP headers
• R.U.Dead.Yet: Written by Raviv Raz, exploits slow POST fields
• Keep-Dead: Written by Esrun,exploits long Keep-Alive sessions
![Page 4: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/4.jpg)
Hash DoS
• HashDoS – Advisory published by Julian Wäld & Alexander Klink, Dec. 28, 2011
• Vulnerability in ASP.NET (MS11-100)
• Vulnerability in PHP 4 and 5
• Also vulnerable:Java, Tomcat, Python, Ruby, Oracle
![Page 5: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/5.jpg)
Hash TablesHash Key
login=root passwd=123
Insert, search, delete node
with O(n) complexity
![Page 6: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/6.jpg)
Hash CollisionsHash Key
EzEz=123
EzFY=123
FYEz=123
When h(Ez) = h(FY)…
Insert, search, delete node
become O(n²) complexity
![Page 7: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/7.jpg)
DJBX33A Hashing• Daniel J. Bernsetin, 33 additions• Used in 32 bit PHP 5, Java Tomcat• Similar function used in Ruby
![Page 8: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/8.jpg)
Hashing With the Pigeons
Strings
Hashes
• Apparently, a non-injective function
• More commonly known as the pigeonhole principle
![Page 9: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/9.jpg)
DJBX33X Hashing
• Daniel J. Bernsetin, 33 XORs• Used in 32/64 bit PHP 4 & ASP.NET• Similar function used in Python
![Page 10: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/10.jpg)
Linear Collision Generation
h('Ey') = 31¹ · 69 + 31° · 121 = 2260
h('FZ') = 31¹ · 70 + 31° · 90 = 2260
h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97
= 31 · (31¹ · 70 + 31° · 90) + 31°·97
= h('FZa')
![Page 11: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/11.jpg)
DEMODEMO
![Page 12: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/12.jpg)
Using Binary Permutations
h('EzEz') (00)
= h('EzFY') (01)
= h('FYEz') (10)
= h('FYFY') (11)
![Page 13: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/13.jpg)
Pre-computing rainbow tables
• Calculate long permutations of colliding char pairs• Create many same-hash field names for POST• More advanced Meet-In-The-Middle techniques
improve rainbow table creation exponentially
![Page 14: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/14.jpg)
PHP 5
• DJBX33X• 1 Gbit speed keeps
~ 10,000 i7 core CPU busy• POST limited by 8 MB• POST limited by max_input_time
(default on Ubuntu/BSD = 60 seconds)
![Page 15: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/15.jpg)
<?
php echo $_POST["param"];
?>
![Page 16: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/16.jpg)
• DJBX33X• Breakable using
Meet-In-The-Middle• 30 kbits/sec keeps
1 core-2 CPU busy• With 1 Gbit keeps
~ 30,000 core-2 CPU busy
![Page 17: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/17.jpg)
<%
Response.Write Request.Form['param'];
%>
![Page 18: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/18.jpg)
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=&
EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&…
![Page 19: Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b1542d/html5/thumbnails/19.jpg)
PoC already in the wildPoC already in the wild