Hash DoS Attack

Hash DoS Attack
Miroslav Štampar
(mstampar@zsis.hr)
Hash DoS Attack
Miroslav Štampar
(mstampar@zsis.hr)

FER 2014, Zagreb (Croatia) January 17th, 2014 2
What is DoS (Denial of Service)?
“...attack where an attacker attempts
to prevent legitimate users from
accessing information or services...”
(source: US-CERT)

High bandwidth DoS
Exhaustion of (network) resources using high
speed packet traffic generation
Bandwidth is the most important factor
TCP/SYN Flood, UDP Flood, ICMP Flood, HTTP
Flood, Xmas Attack, etc.
Low sophistication level (i.e. script-kiddie)
Low to medium success rate (mostly
depending on target's security awareness)
Rate limitation, signatures, traffic anomalies,
traffic redirection (i.e. CloudFlare), challenge/
response, etc.
Booters/Stressers (e.g. 60GBps – 24.99$/1h)

Low bandwidth DoS
Exhaustion of resources without special
bandwidth requirements
In most cases one broadband line is enough
Targeting higher layers of OSI model
Standards, protocols and applications are
(usually) made without covering all “malicious”
scenarios (virtually impossible)
Application Attacks, Slow Attacks, VoIP DoS,
DNS Amplification, NTP Amplification, etc.
Medium to high success rate
Mitigation is hard (usually done at lower layers
in generic manner)

#DoS
Denial of Service through hash table (i.e.
dictionary) multi-collisions (oCERT-2011-003)
“...an attacker can degenerate the hash table
by sending lots of colliding keys...”
This issue has been known since at least 2003,
but influenced only Perl and CRuby to adapt
Insertion is O(n) in case of collision instead of
O(1) (i.e. O(n²) for inserting n elements)
POST requests are most interesting for this
attack (typical malicious data is 1-4MB)
100% of CPU usage for up to several hours per
single HTTP request

Example HTTP request

Consequences

Affected versions
Apache Tomcat – 5.5.34 and prior, 6.0.34 and
prior, 7.0.22 and prior
Java – all versions
JRuby – 1.6.5 and prior
Microsoft ASP.NET – all versions (if unpatched
with MS11-100)
PHP – 5.3.8 and prior, 5.4.0RC3 and prior
Python – 3.3.0 and prior (inadequate fix in
2.7.3 and 3.2.3)
Ruby – 1.8.7-p356 and prior
...

Dictionary / Hash table
HTTP request parameters are stored in a
dictionary (i.e. {}) for fast and easy lookup
Most common implementation of the dictionary
is a hash table
Insert, delete and lookup are (normally) being
made with O(1)
Hash tables must be able to deal with hash
collisions (expected phenomenon)
Used algorithms have to be fast and provide
reasonable distribution of hashes
No need for “cryptographically secure”
properties (like in algorithms MD5 or SHA1)

Library analogy
Imagine a librarian in a (huge) new library
He wants to be able to do the lookups as fast
as possible
Instead of sequential (i.e. alphabetical) fill up,
he programs a clever little “black box” that
gives the location based on a book's title
Result is (mostly) unique and calculated in a
highly dispersed manner
In case of collision he'll just put the book
beside the existing or run another iteration
In programming world that “black box” is called
a hash algorithm

Insertion (oversimplified)

DJBX33A / DJBX31A / DJBX33X
Daniel J. Bernstein “Times 33 Addition”
Popular hash algorithm family used across
number of programming languages
uint32_t djbx33a(const char *arKey, uint32_t
nKeyLength) {
uint32_t hash = 5381;
for (; nKeyLength > 0; nKeyLength -=1) {
hash = ((hash << 5) + hash) + *arKey++;
}
return hash;
}
DJBX33A used in PHP 5, DJBX31A used in Java,
DJBX33X used in PHP 4 and .NET, etc.

Demo #1
Brute force collision search

Equivalent substrings
Characteristic of linear hash functions (e.g.
DJBX33A)
If hashes of two strings collide then hashes of
strings having them as substrings (at same
position) will collide too
djbx33a(s)=33
n
×5381+∑
i=1
i=n
33
n−i
×si
djbx33a(' ws' )=332
×5381+331
×119+115=5863951
djbx33a(' xR ')=332
×5381+331
×120+82=5863951
djbx33a(' AwsB')=334
×5381+333
×65+332
×119+331
×115+66=6383910258
djbx33a(' AxRB')=33
4
×5381+33
3
×65+33
2
×120+33
1
×82+66=6383910258

Counting method
Popular method for linear hash functions
If hashes of two strings collide then hashes of
their binary permutations will collide too
djbx33a(' ws' )=33
2
×5381+33
1
×119+115=5863951
djbx33a(' xR' )=332
×5381+331
×120+82=5863951
djbx33a(' wsws' )=33
4
×5381+33
3
×119+33
2
×115+33
1
×119+115=6385846681
djbx33a(' wsxR' )=334
×5381+333
×119+332
×115+331
×120+82=6385846681
djbx33a(' xRws')=33
4
×5381+33
3
×120+33
2
×82+33
1
×119+115=6385846681
djbx33a(' xRxR' )=334
×5381+333
×120+332
×82+331
×120+82=6385846681
' ws'=0,' xR'=1
djbx33a(00)=djbx33a(01)=djbx33a(10)=djbx33a(11)
djbx33a(000)=djbx33a(001)=djbx33a(010)=djbx33a(011)=djbx33a(100)=...

Demo #2
Counting method collision search

Meet-in-the-middle (1)
In case of non-linear hash functions (e.g.
DJBX33X) guessing (brute force) approach
seems to be the obvious way
Choose target string (e.g. 'XzwAr2tq') and find
colliding matches by birthday (guessing) attack
50% probability for hitting a target with the
chosen hash value in tries (if the hash is a
32-bit value)
50% probability for hitting a target with one of
two chosen hash values in tries (if the hash
is a 32-bit value)
...
2
31
230

This method tries to attack more than one
(intermediate) target at a time
Necessity is that the final hash value uniquely
represents hash internal state and that hash
iterative function can be inverted
Searching for all strings s of length n having a
final hash value (colliding)
Iterate over all possible l-sized postfix strings
and match with random m-sized prefix strings
hi≡33×hi−1⊕si (mod 232
)
33×1041204193≡1(mod 2
32
)
1041204193×(hi⊕si )≡hi−1(mod 232
)
hn

Choose arbitrary values m and l such as m+l=n
(value l will depend on available memory)
Choose arbitrary hash value
Iterate over all l-sized strings and store them
into the memory together with respective hash
states got by inverse iterative process
Perform a birthday (guessing) attack by
randomly finding m-sized strings having
Combining such m-sized (prefix) string value
with corresponding (stored) l-sized (postfix)
string value gives a colliding result
Results are fastest obtained when m=l=n/2
hn−l
hn
hm=hn−l
s=sm+sl

Splitting in the middle (m=l=n/2) reduces the
complexity of this attack by square root
50% probability for hitting a target with the
chosen hash value in tries (if the hash is a
32-bit value)
Also works for linear hash functions (e.g.
DJBX33A)
Originally targeting encryption methods
achieving increased security by using multiple
iterations of the same algorithm (e.g. 3DES)
215.5

Demo #3
Meet-in-the-middle collision search

Demo #4
LAMP Server (PHP 5)

Demo #5
IIS Server (ASP.NET)

Mitigation (low level)
Hash (seed) randomization
new seed is generated on every interpreter,
application and/or system start
breaking code that incorrectly relies on specific
ordering of dictionary keys (official explanation
from Python team)
CPython (-R) random seed has been successfully
remotely recovered (by Jean-Philippe Aumasson
and Daniel J. Bernstein :)
Changing hash algorithm (e.g. to SipHash
chosen by Python, Ruby, Perl, Rust, FreeBSD,
Redis, etc.)

Mitigation (high level)
Limiting CPU time (e.g. max_input_time in
PHP, CGITimeout in IIS, etc.)
Limiting maximum POST size (e.g.
post_max_size in PHP,
suhosin.post.max_value_length in Suhosin
hardened PHP, maxAllowedContentLength in
ASP.NET, etc.)
Limiting maximum number of HTTP request
parameters (e.g. suhosin.request.max_vars
in Suhosin hardened PHP,
org.apache.tomcat.util.http.Parameters.M
AX_COUNT in Tomcat, etc.)

Questions?

Hash DoS Attack

More Related Content

What's hot

Similar to Hash DoS Attack

More from Miroslav Stampar

Recently uploaded

Hash DoS Attack