Owasp universal-http-do s
Upcoming SlideShare
Loading in...5
×
 

Owasp universal-http-do s

on

  • 5,500 views

http://www.ehacking.net/2011/09/r-u-dead-yet-http-post-denial-of.html

http://www.ehacking.net/2011/09/r-u-dead-yet-http-post-denial-of.html

DOS attack with Backtrack and other Linux and Windows Ethical hacking.

Statistics

Views

Total Views
5,500
Views on SlideShare
1,385
Embed Views
4,115

Actions

Likes
0
Downloads
18
Comments
0

11 Embeds 4,115

http://www.ehacking.net 3943
http://feeds.feedburner.com 106
http://w3.isvoc.com 23
http://translate.googleusercontent.com 21
http://blog.isvoc.com 10
http://webcache.googleusercontent.com 6
http://www.script-id.com 2
http://www4.informio.biz 1
http://podcast.isvoc.com 1
http://a0.twimg.com 1
http://script.jatimweb.org 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Owasp universal-http-do s Owasp universal-http-do s Presentation Transcript

    • Universal HTTP Denial - of - Service
    • About Hybrid
    • Creating web-business-logic security
    • Doing cool stuff in AI research
    • Optimizing acceptance rate for Web-bound transactions
    • Minimizing false rejects typical to signature-based solutions
  •  
  • How Would You Like Your Website? Slow or DEAD ?
    • Slowloris abuses handling of HTTP request headers ssslooowly…
    • Written by RSnake
    • Iteratively injects one custom header at a time and goes to sleep
    • Web server vainly awaits the line space that will never come 
    • Stuck in phase I forever. Kinda like Tron
    • R-U-Dead-Yet? abuses HTTP web form fields
    • Iteratively injects one custom byte into a web application post field and goes to sleep
    • Application threads become zombies awaiting ends of posts till death lurks upon the website
    • Stuck in phase II forever. Kinda like Tron sequels
  • SlowLoris
    • According to HTTP RFC 2616:
    • Request = Request-Line
    • *(( general-header
    • | request-header
    • | entity-header ) CRLF )
    • CRLF
    • [ message-body ]
  • SlowLoris
    • GET http://www.google.com/ HTTP/1.1
    • Host: www.google.com
    • Connection: keep-alive
    • User-Agent: Mozilla/5.0
    • X-a: b
    • X-a: b
    • X-a: b
    • X-a: b
    • X-a: b
    • X-a: b
  • SlowLoris
    • DEMO
  • SlowLoris Mitigation
  • Patching Apache
    • Use Apache Patch to moderate average timeout thresholds (Link at end of presentation)
  • According to SpiderLabs:
    • ModSecurity >=2.5.13
    • Add directive: “ SecReadStateLimit 5 ”
    • Then ModSecurity Alerts like this: “ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from 211.144.112.20 - Possible DoS Consumption Attack [Rejected] ”
  • R-U-D-Y
    • POST http://victim.com/
    • Host: victim.com
    • Connection: keep-alive
    • Content-Length: 1000000
    • User-Agent: Mozilla/5.0
    • Cookie: __utmz=181569312.1294666144.1.1
    • username=AAAAAAAAAAAAAAAAAAAAAAAAA…
    Vulnerability discovered by Tom Brennan and Wong Onn Chee: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
  • R-U-D-Y
    • DEMO
  • Waging War Upon SCADA
  • Waging War Upon SCADA
    • Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges
    • R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth
  • R-U-D-Y Mitigation
    • Add directive: “ RequestReadTimeout body=30 ”
    • Add a rule: SecRule RESPONSE_STATUS "@streq 408“ "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip. slow_dos_counter=60" SecRule IP:SLOW_DOS_COUNTER "@gt 5“ "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
  • Other (potential?) Attack Vectors
    • Complex structures such as: SOAP, JSON, REST
    • Encapsulated protocols such as: SIP, AJAX binary streams
  • Future Research
    • Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input
    • Use nested and/or broken data structures to detect server-side zombie behavior
    If we knew what it was we were doing, it would not be called research, would it? (Albert Einstein)
    • SlowLoris: http://ha.ckers.org/slowloris/
    • Anti-SlowLoris Patch: http://synflood.at/tmp/anti-slowloris.diff
    • Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
    • R.U.D.Y: http:// hybridsec.com/tools/rudy /
    • Chapters In Web Security: http:// chaptersinwebsecurity.blogspot.com
    Reference
    • [email_address]
    Thank You