Owasp universal-http-do s


Published on

Learn denial of service attack with backtrack 5 and other tools

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Owasp universal-http-do s

  1. 1. <ul><li>Universal HTTP Denial - of - Service </li></ul>
  2. 2. <ul><li>About Hybrid </li></ul><ul><li>Creating web-business-logic security </li></ul><ul><li>Doing cool stuff in AI research </li></ul><ul><li>Optimizing acceptance rate for Web-bound transactions </li></ul><ul><li>Minimizing false rejects typical to signature-based solutions </li></ul>
  3. 4. How Would You Like Your Website? Slow or DEAD ? <ul><li>Slowloris abuses handling of HTTP request headers ssslooowly… </li></ul><ul><li>Written by RSnake </li></ul><ul><li>Iteratively injects one custom header at a time and goes to sleep </li></ul><ul><li>Web server vainly awaits the line space that will never come  </li></ul><ul><li>Stuck in phase I forever. Kinda like Tron </li></ul><ul><li>R-U-Dead-Yet? abuses HTTP web form fields </li></ul><ul><li>Iteratively injects one custom byte into a web application post field and goes to sleep </li></ul><ul><li>Application threads become zombies awaiting ends of posts till death lurks upon the website </li></ul><ul><li>Stuck in phase II forever. Kinda like Tron sequels </li></ul>
  4. 5. SlowLoris <ul><li>According to HTTP RFC 2616: </li></ul><ul><li>Request = Request-Line </li></ul><ul><li>*(( general-header </li></ul><ul><li>| request-header </li></ul><ul><li>| entity-header ) CRLF ) </li></ul><ul><li>CRLF </li></ul><ul><li>[ message-body ] </li></ul>
  5. 6. SlowLoris <ul><li>GET http://www.google.com/ HTTP/1.1 </li></ul><ul><li>Host: www.google.com </li></ul><ul><li>Connection: keep-alive </li></ul><ul><li>User-Agent: Mozilla/5.0 </li></ul><ul><li>X-a: b </li></ul><ul><li>X-a: b </li></ul><ul><li>X-a: b </li></ul><ul><li>X-a: b </li></ul><ul><li>X-a: b </li></ul><ul><li>X-a: b </li></ul>
  6. 7. SlowLoris <ul><li>DEMO </li></ul>
  7. 8. SlowLoris Mitigation
  8. 9. Patching Apache <ul><li>Use Apache Patch to moderate average timeout thresholds (Link at end of presentation) </li></ul>
  9. 10. According to SpiderLabs: <ul><li>ModSecurity >=2.5.13 </li></ul><ul><li>Add directive: “ SecReadStateLimit 5 ” </li></ul><ul><li>Then ModSecurity Alerts like this: “ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from - Possible DoS Consumption Attack [Rejected] ” </li></ul>
  10. 11. R-U-D-Y <ul><li>POST http://victim.com/ </li></ul><ul><li>Host: victim.com </li></ul><ul><li>Connection: keep-alive </li></ul><ul><li>Content-Length: 1000000 </li></ul><ul><li>User-Agent: Mozilla/5.0 </li></ul><ul><li>Cookie: __utmz=181569312.1294666144.1.1 </li></ul><ul><li>username=AAAAAAAAAAAAAAAAAAAAAAAAA… </li></ul>Vulnerability discovered by Tom Brennan and Wong Onn Chee: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
  11. 12. R-U-D-Y <ul><li>DEMO </li></ul>
  12. 13. Waging War Upon SCADA
  13. 14. Waging War Upon SCADA <ul><li>Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges </li></ul><ul><li>R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth </li></ul>
  14. 15. R-U-D-Y Mitigation <ul><li>Add directive: “ RequestReadTimeout body=30 ” </li></ul><ul><li>Add a rule: SecRule RESPONSE_STATUS &quot;@streq 408“ &quot;phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip. slow_dos_counter=60&quot; SecRule IP:SLOW_DOS_COUNTER &quot;@gt 5“ &quot;phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'&quot; </li></ul>
  15. 16. Other (potential?) Attack Vectors <ul><li>Complex structures such as: SOAP, JSON, REST </li></ul><ul><li>Encapsulated protocols such as: SIP, AJAX binary streams </li></ul>
  16. 17. Future Research <ul><li>Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input </li></ul><ul><li>Use nested and/or broken data structures to detect server-side zombie behavior </li></ul>If we knew what it was we were doing, it would not be called research, would it? (Albert Einstein)
  17. 18. <ul><li>SlowLoris: http://ha.ckers.org/slowloris/ </li></ul><ul><li>Anti-SlowLoris Patch: http://synflood.at/tmp/anti-slowloris.diff </li></ul><ul><li>Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html </li></ul><ul><li>R.U.D.Y: http:// hybridsec.com/tools/rudy / </li></ul><ul><li>Chapters In Web Security: http:// chaptersinwebsecurity.blogspot.com </li></ul>Reference
  18. 19. <ul><li>[email_address] </li></ul>Thank You