universal http denial-of-service. about hybrid creating web-business-logic security doing cool stuff...
TRANSCRIPT
Universal HTTP
Denial-of-Service
About Hybrid• Creating web-business-logic security• Doing cool stuff in AI research• Optimizing acceptance rate for Web-bound
transactions• Minimizing false rejects typical to signature-based
solutions
How Would You Like Your Website? Slow or DEAD?
• Slowloris abuses handling ofHTTP request headers ssslooowly…
• Written by RSnake• Iteratively injects one custom header at a
time and goes to sleep• Web server vainly awaits the
line space that will never come • Stuck in phase I forever. Kinda like Tron
• R-U-Dead-Yet? abuses HTTP web form fields
• Iteratively injects one custom byte into a web application post field and goes to sleep
• Application threads become zombies awaiting ends of posts till death lurks upon the website
• Stuck in phase II forever. Kinda like Tron sequels
SlowLoris
According to HTTP RFC 2616:
Request = Request-Line
*(( general-header
| request-header
| entity-header ) CRLF)
CRLF
[ message-body ]
SlowLoris
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b
SlowLoris
DEMO
SlowLoris Mitigation
Patching Apache
• Use Apache Patchto moderate average timeout thresholds(Link at end of presentation)
According to SpiderLabs:
• ModSecurity >=2.5.13• Add directive: “SecReadStateLimit 5”• Then ModSecurity Alerts like this:
“ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from 211.144.112.20 - Possible DoS Consumption Attack [Rejected] ”
R-U-D-Y
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
username=AAAAAAAAAAAAAAAAAAAAAAAAA…
Vulnerability discovered by Tom Brennan
and Wong Onn Chee:
http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
R-U-D-Y
DEMO
Waging War Upon SCADA
Waging War Upon SCADA
• Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges
• R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth
R-U-D-Y Mitigation
• Add directive: “RequestReadTimeout body=30”• Add a rule:
SecRule RESPONSE_STATUS "@streq 408“ \ "phase:5,t:none,nolog,pass, \setvar:ip.slow_dos_counter=+1,expirevar:ip. \slow_dos_counter=60"SecRule IP:SLOW_DOS_COUNTER "@gt 5“ \ "phase:1,t:none,log,drop, \msg:'Client Connection Dropped due to high \ # of slow DoS alerts'"
Other (potential?) Attack Vectors
• Complex structures such as: SOAP, JSON, REST• Encapsulated protocols such as: SIP, AJAX
binary streams
Future Research• Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input• Use nested and/or broken data structures to detect server-side zombie behavior
If we knew what it was we were doing, it would not be called research, would it?
(Albert Einstein)
• SlowLoris:http://ha.ckers.org/slowloris/
• Anti-SlowLoris Patch:http://synflood.at/tmp/anti-slowloris.diff
• Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
• R.U.D.Y:http://hybridsec.com/tools/rudy/
• Chapters In Web Security:http://chaptersinwebsecurity.blogspot.com
Reference
