Layer-7 DoS - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Layer-7 DoS

Description:

... cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior analysis Signature-free 0-day attack detection ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 21
Provided by: ravi99
Category:
Tags: dos | cyber | detection | fraud | layer

less

Transcript and Presenter's Notes

Title: Layer-7 DoS


1
  • Layer-7 DoS
  • Hash Collisions

2
About Hybrid Security
  • Provide cyber fraud protection to websites
  • Prevent business logic attacks on web
    applications
  • Heuristic web user behavior analysis
  • Signature-free 0-day attack detection

3
  • Layer-7 DoS
  • Slowloris Written by RSnake, exploits
    slow HTTP headers
  • R.U.Dead.Yet Written by Raviv Raz,
    exploits slow POST fields
  • Keep-Dead Written by Esrun, exploits long
    Keep-Alive sessions

4
  • Hash DoS
  • HashDoS Advisory published by Julian Wäld
    Alexander Klink, Dec. 28, 2011
  • Vulnerability in ASP.NET (MS11-100)
  • Vulnerability in PHP 4 and 5
  • Also vulnerableJava, Tomcat, Python, Ruby,
    Oracle

5
  • Hash Tables

Hash Key
  • Insert, search, delete node
  • with O(n) complexity

6
  • Hash Collisions

Hash Key
  • When h(Ez) h(FY)
  • Insert, search, delete node
  • become O(n²) complexity

7
  • DJBX33A Hashing
  • Daniel J. Bernsetin, 33 additions
  • Used in 32 bit PHP 5, Java Tomcat
  • Similar function used in Ruby

8
  • Hashing With the Pigeons
  • Apparently, a non-injective function
  • More commonly known as the pigeonhole
    principle

Strings
Hashes
9
  • DJBX33X Hashing
  • Daniel J. Bernsetin, 33 XORs
  • Used in 32/64 bit PHP 4 ASP.NET
  • Similar function used in Python

10
  • Linear Collision Generation

h('Ey') 31¹ 69 31 121
2260 h('FZ') 31¹ 70 31 90
2260 h('Eya') 31 (31¹ 69 31 121)
3197 31 (31¹ 70 31
90) 3197 h('FZa')
11
  • DEMO

12
  • Using Binary Permutations

h('EzEz') ? (00) h('EzFY') ? (01)
h('FYEz') ? (10) h('FYFY') ? (11)
13
  • Pre-computing rainbow tables
  • Calculate long permutations of colliding char
    pairs
  • Create many same-hash field names for POST
  • More advanced Meet-In-The-Middle techniques
    improve rainbow table creation exponentially

14
  • PHP 5
  • DJBX33X
  • 1 Gbit speed keeps 10,000 i7 core CPU busy
  • POST limited by 8 MB
  • POST limited by max_input_time (default on
    Ubuntu/BSD 60 seconds)

15
lt? php echo _POST"param" ?gt
16
  • DJBX33X
  • Breakable using Meet-In-The-Middle
  • 30 kbits/sec keeps 1 core-2 CPU busy
  • With 1 Gbit keeps 30,000 core-2 CPU busy

17
lt Response.Write Request.Form'param' gt
18
POST http//victim.com/ Host victim.com Connectio
n keep-alive Content-Length 1000000 User-Agent
Mozilla/5.0 Cookie __utmz181569312.1294666144.1.
1 EzEzEzEzEzEzEzEzEzEzEzEzEzEzEzFY EzEzEzEzEz
EzEzG8EzEzEzEzEzEzEzH17
19
  • PoC already in the wild

20
  • Thank You
  • raviv_at_hybridsec.com
  • http//www.hybridsec.com
Write a Comment
User Comments (0)
About PowerShow.com