Date post: | 10-May-2015 |
Category: |
Technology |
Upload: | miroslav-stampar |
View: | 2,006 times |
Download: | 6 times |
Hash DoS Attack
Miroslav Štampar([email protected])
Hash DoS Attack
Miroslav Štampar([email protected])
FER 2014, Zagreb (Croatia) January 17th, 2014 2
What is DoS (Denial of Service)?
“...attack where an attacker attemptsto prevent legitimate users from
accessing information or services...”(source: US-CERT)
FER 2014, Zagreb (Croatia) January 17th, 2014 3
High bandwidth DoSExhaustion of (network) resources using high
speed packet traffic generationBandwidth is the most important factorTCP/SYN Flood, UDP Flood, ICMP Flood, HTTP
Flood, Xmas Attack, etc.Low sophistication level (i.e. script-kiddie)Low to medium success rate (mostly
depending on target's security awareness)Rate limitation, signatures, traffic anomalies,
traffic redirection (i.e. CloudFlare), challenge/ response, etc.
Booters/Stressers (e.g. 60GBps – 24.99$/1h)
FER 2014, Zagreb (Croatia) January 17th, 2014 4
Low bandwidth DoSExhaustion of resources without special
bandwidth requirementsIn most cases one broadband line is enoughTargeting higher layers of OSI modelStandards, protocols and applications are
(usually) made without covering all “malicious” scenarios (virtually impossible)
Application Attacks, Slow Attacks, VoIP DoS, DNS Amplification, NTP Amplification, etc.
Medium to high success rateMitigation is hard (usually done at lower layers
in generic manner)
FER 2014, Zagreb (Croatia) January 17th, 2014 5
#DoSDenial of Service through hash table (i.e.
dictionary) multi-collisions (oCERT-2011-003)“...an attacker can degenerate the hash table
by sending lots of colliding keys...”This issue has been known since at least 2003,
but influenced only Perl and CRuby to adaptInsertion is O(n) in case of collision instead of O(1) (i.e. O(n²) for inserting n elements)
POST requests are most interesting for this attack (typical malicious data is 1-4MB)
100% of CPU usage for up to several hours per single HTTP request
FER 2014, Zagreb (Croatia) January 17th, 2014 6
Example HTTP request
FER 2014, Zagreb (Croatia) January 17th, 2014 7
Consequences
FER 2014, Zagreb (Croatia) January 17th, 2014 8
Affected versions
Apache Tomcat – 5.5.34 and prior, 6.0.34 and prior, 7.0.22 and prior
Java – all versionsJRuby – 1.6.5 and priorMicrosoft ASP.NET – all versions (if unpatched
with MS11-100)PHP – 5.3.8 and prior, 5.4.0RC3 and priorPython – 3.3.0 and prior (inadequate fix in
2.7.3 and 3.2.3)Ruby – 1.8.7-p356 and prior...
FER 2014, Zagreb (Croatia) January 17th, 2014 9
Dictionary / Hash tableHTTP request parameters are stored in a
dictionary (i.e. {}) for fast and easy lookupMost common implementation of the dictionary
is a hash tableInsert, delete and lookup are (normally) being
made with O(1)Hash tables must be able to deal with hash
collisions (expected phenomenon)Used algorithms have to be fast and provide
reasonable distribution of hashesNo need for “cryptographically secure”
properties (like in algorithms MD5 or SHA1)
FER 2014, Zagreb (Croatia) January 17th, 2014 10
Library analogyImagine a librarian in a (huge) new libraryHe wants to be able to do the lookups as fast
as possibleInstead of sequential (i.e. alphabetical) fill up,
he programs a clever little “black box” that gives the location based on a book's title
Result is (mostly) unique and calculated in a highly dispersed manner
In case of collision he'll just put the book beside the existing or run another iteration
In programming world that “black box” is called a hash algorithm
FER 2014, Zagreb (Croatia) January 17th, 2014 11
Insertion (oversimplified)
FER 2014, Zagreb (Croatia) January 17th, 2014 12
DJBX33A / DJBX31A / DJBX33XDaniel J. Bernstein “Times 33 Addition”Popular hash algorithm family used across
number of programming languages
uint32_t djbx33a(const char *arKey, uint32_t nKeyLength) {
uint32_t hash = 5381;
for (; nKeyLength > 0; nKeyLength -=1) {
hash = ((hash << 5) + hash) + *arKey++;
}
return hash;}
DJBX33A used in PHP 5, DJBX31A used in Java, DJBX33X used in PHP 4 and .NET, etc.
FER 2014, Zagreb (Croatia) January 17th, 2014 13
Demo #1Brute force collision search
FER 2014, Zagreb (Croatia) January 17th, 2014 14
Equivalent substrings
Characteristic of linear hash functions (e.g. DJBX33A)
If hashes of two strings collide then hashes of strings having them as substrings (at same position) will collide too
djbx33a(s)=33n×5381+∑i=1
i=n
33n−i×s i
djbx33a(' ws ' )=332×5381+331×119+115=5863951djbx33a(' xR ' )=332×5381+331×120+82=5863951
djbx33a(' AwsB ' )=334×5381+333×65+332×119+331×115+66=6383910258
djbx33a(' AxRB ' )=334×5381+333×65+332×120+331×82+66=6383910258
FER 2014, Zagreb (Croatia) January 17th, 2014 15
Counting method
Popular method for linear hash functionsIf hashes of two strings collide then hashes of
their binary permutations will collide too
djbx33a( ' ws ' )=332×5381+331×119+115=5863951djbx33a( ' xR ' )=332×5381+331×120+82=5863951
djbx33a( ' wsws ' )=334×5381+333×119+332×115+331×119+115=6385846681djbx33a( ' wsxR' )=334×5381+333×119+332×115+331×120+82=6385846681
djbx33a( ' xRws ' )=334×5381+333×120+332×82+331×119+115=6385846681djbx33a( ' xRxR' )=334×5381+333×120+332×82+331×120+82=6385846681
' ws '=0, ' xR '=1djbx33a(00)=djbx33a(01)=djbx33a(10)=djbx33a (11)djbx33a(000)=djbx33a (001)=djbx33a(010)=djbx33a (011)=djbx33a (100)=...
FER 2014, Zagreb (Croatia) January 17th, 2014 16
Demo #2Counting method collision search
FER 2014, Zagreb (Croatia) January 17th, 2014 17
Meet-in-the-middle (1)In case of non-linear hash functions (e.g.
DJBX33X) guessing (brute force) approach seems to be the obvious way
Choose target string (e.g. 'XzwAr2tq') and find colliding matches by birthday (guessing) attack
50% probability for hitting a target with the chosen hash value in tries (if the hash is a 32-bit value)
50% probability for hitting a target with one of two chosen hash values in tries (if the hash is a 32-bit value)
...
231
230
FER 2014, Zagreb (Croatia) January 17th, 2014 18
Meet-in-the-middle (2)This method tries to attack more than one
(intermediate) target at a timeNecessity is that the final hash value uniquely
represents hash internal state and that hash iterative function can be inverted
Searching for all strings s of length n having a final hash value (colliding)
Iterate over all possible l-sized postfix strings and match with random m-sized prefix strings
hi≡33×hi−1⊕si(mod 232)
33×1041204193≡1(mod 232)1041204193×(hi⊕si)≡hi−1(mod 2
32)
hn
FER 2014, Zagreb (Croatia) January 17th, 2014 19
Meet-in-the-middle (3)Choose arbitrary values m and l such as m+l=n
(value l will depend on available memory)Choose arbitrary hash valueIterate over all l-sized strings and store them
into the memory together with respective hash states got by inverse iterative process
Perform a birthday (guessing) attack by randomly finding m-sized strings having
Combining such m-sized (prefix) string value with corresponding (stored) l-sized (postfix) string value gives a colliding result
Results are fastest obtained when m=l=n/2
hn−l
hn
hm=hn−l
s=sm+sl
FER 2014, Zagreb (Croatia) January 17th, 2014 20
Meet-in-the-middle (4)
FER 2014, Zagreb (Croatia) January 17th, 2014 21
Meet-in-the-middle (5)
Splitting in the middle (m=l=n/2) reduces the complexity of this attack by square root
50% probability for hitting a target with the chosen hash value in tries (if the hash is a 32-bit value)
Also works for linear hash functions (e.g. DJBX33A)
Originally targeting encryption methods achieving increased security by using multiple iterations of the same algorithm (e.g. 3DES)
215.5
FER 2014, Zagreb (Croatia) January 17th, 2014 22
Demo #3Meet-in-the-middle collision search
FER 2014, Zagreb (Croatia) January 17th, 2014 23
Demo #4LAMP Server (PHP 5)
FER 2014, Zagreb (Croatia) January 17th, 2014 24
Demo #5IIS Server (ASP.NET)
FER 2014, Zagreb (Croatia) January 17th, 2014 25
Mitigation (low level)Hash (seed) randomization
new seed is generated on every interpreter, application and/or system start
breaking code that incorrectly relies on specific ordering of dictionary keys (official explanation from Python team)
CPython (-R) random seed has been successfully remotely recovered (by Jean-Philippe Aumasson and Daniel J. Bernstein :)
Changing hash algorithm (e.g. to SipHash chosen by Python, Ruby, Perl, Rust, FreeBSD, Redis, etc.)
FER 2014, Zagreb (Croatia) January 17th, 2014 26
Mitigation (high level)
Limiting CPU time (e.g. max_input_time in PHP, CGITimeout in IIS, etc.)
Limiting maximum POST size (e.g. post_max_size in PHP, suhosin.post.max_value_length in Suhosin hardened PHP, maxAllowedContentLength in ASP.NET, etc.)
Limiting maximum number of HTTP request parameters (e.g. suhosin.request.max_vars in Suhosin hardened PHP, org.apache.tomcat.util.http.Parameters.MAX_COUNT in Tomcat, etc.)
FER 2014, Zagreb (Croatia) January 17th, 2014 27
Questions?