Your SlideShare is downloading. ×
Owasp universal-http-do s
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Owasp universal-http-do s

529
views

Published on

Learn denial of service attack with backtrack 5 and other tools

Learn denial of service attack with backtrack 5 and other tools

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
529
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.
    • Universal HTTP Denial - of - Service
  • 2.
    • About Hybrid
    • Creating web-business-logic security
    • Doing cool stuff in AI research
    • Optimizing acceptance rate for Web-bound transactions
    • Minimizing false rejects typical to signature-based solutions
  • 3.  
  • 4. How Would You Like Your Website? Slow or DEAD ?
    • Slowloris abuses handling of HTTP request headers ssslooowly…
    • Written by RSnake
    • Iteratively injects one custom header at a time and goes to sleep
    • Web server vainly awaits the line space that will never come 
    • Stuck in phase I forever. Kinda like Tron
    • R-U-Dead-Yet? abuses HTTP web form fields
    • Iteratively injects one custom byte into a web application post field and goes to sleep
    • Application threads become zombies awaiting ends of posts till death lurks upon the website
    • Stuck in phase II forever. Kinda like Tron sequels
  • 5. SlowLoris
    • According to HTTP RFC 2616:
    • Request = Request-Line
    • *(( general-header
    • | request-header
    • | entity-header ) CRLF )
    • CRLF
    • [ message-body ]
  • 6. SlowLoris
    • GET http://www.google.com/ HTTP/1.1
    • Host: www.google.com
    • Connection: keep-alive
    • User-Agent: Mozilla/5.0
    • X-a: b
    • X-a: b
    • X-a: b
    • X-a: b
    • X-a: b
    • X-a: b
  • 7. SlowLoris
    • DEMO
  • 8. SlowLoris Mitigation
  • 9. Patching Apache
    • Use Apache Patch to moderate average timeout thresholds (Link at end of presentation)
  • 10. According to SpiderLabs:
    • ModSecurity >=2.5.13
    • Add directive: “ SecReadStateLimit 5 ”
    • Then ModSecurity Alerts like this: “ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from 211.144.112.20 - Possible DoS Consumption Attack [Rejected] ”
  • 11. R-U-D-Y
    • POST http://victim.com/
    • Host: victim.com
    • Connection: keep-alive
    • Content-Length: 1000000
    • User-Agent: Mozilla/5.0
    • Cookie: __utmz=181569312.1294666144.1.1
    • username=AAAAAAAAAAAAAAAAAAAAAAAAA…
    Vulnerability discovered by Tom Brennan and Wong Onn Chee: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
  • 12. R-U-D-Y
    • DEMO
  • 13. Waging War Upon SCADA
  • 14. Waging War Upon SCADA
    • Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges
    • R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth
  • 15. R-U-D-Y Mitigation
    • Add directive: “ RequestReadTimeout body=30 ”
    • Add a rule: SecRule RESPONSE_STATUS "@streq 408“ "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip. slow_dos_counter=60" SecRule IP:SLOW_DOS_COUNTER "@gt 5“ "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
  • 16. Other (potential?) Attack Vectors
    • Complex structures such as: SOAP, JSON, REST
    • Encapsulated protocols such as: SIP, AJAX binary streams
  • 17. Future Research
    • Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input
    • Use nested and/or broken data structures to detect server-side zombie behavior
    If we knew what it was we were doing, it would not be called research, would it? (Albert Einstein)
  • 18.
    • SlowLoris: http://ha.ckers.org/slowloris/
    • Anti-SlowLoris Patch: http://synflood.at/tmp/anti-slowloris.diff
    • Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
    • R.U.D.Y: http:// hybridsec.com/tools/rudy /
    • Chapters In Web Security: http:// chaptersinwebsecurity.blogspot.com
    Reference
  • 19.
    • [email_address]
    Thank You