Universal HTTP Denial-of-Service. About Hybrid Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound.

Slides:

Advertisements

Similar presentations

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

Advertisements

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Adventures in Large Scale HTTP Header Abuse Zachary Wolff.

World Wide Web Basics Original version by Carolyn Watters (Dalhousie U. Computer Science)

HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Web basics HTTP – – URI/L/Ns – HTML –

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 23 – Internet Applications Internet Directory.

Lecture 7 TELNET Protocol & HyperText Transfer Protocol CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.

1 Web Search Interfaces. 2 Web Search Interface Web search engines of course need a web-based interface. Search page must accept a query string and submit.

Chapter 2 Application Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July.

CS 142 Lecture Notes: HTTPSlide 1 HTTP Request GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language:

Project 1 Web client and server EECS 340 Jan 2009.

HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.

Rensselaer Polytechnic Institute CSC-432 – Operating Systems David Goldschmidt, Ph.D.

BSidesDetroit2012 Tweaking to get away from SlowDOS Sergey Shekyan, Senior Software Engineer June 2nd, 2012.

SOAP Simple Object Access Protocol by Vinubalaji Gopal (Vinu)

Web technologies and programming cse hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Securing Apache and PHP

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Layer-7 DoS Hash Collisions. Provide cyber fraud protection to websites Prevent business logic attacks on web applications Heuristic web user behavior.

COMP3016 Web Technologies Introduction and Discussion What is the Web?

HTTP Protocol Specification

HyperText Transfer Protocol (HTTP).  HTTP is the protocol that supports communication between web browsers and web servers.  A “Web Server” is a HTTP.

2: Application Layer1 CS 4244: Internet Software Development Dr. Eli Tilevich.

Maryam Elahi University of Calgary – CPSC 441.  HTTP stands for Hypertext Transfer Protocol.  Used to deliver virtually all files and other data (collectively.

CS 190 Lecture Notes: Tweeter ProjectSlide 1 Uniform Resource Locators (URLs) Scheme Host.

1 HTTPCore, Cookies Managing Data on the World Wide-Web Elad Kravi.

Penetration Testing James Walden Northern Kentucky University.

Copyright (c) 2010, Dr. Kuanchin Chen1 The Client-Server Architecture of the WWW Dr. Kuanchin Chen.

Sistem Jaringan dan Komunikasi Data #9. DNS The Internet Directory Service  the Domain Name Service (DNS) provides mapping between host name & IP address.

WebServer A Web server is a program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol (HTTP), serves the files that.

Web Application Firewall (WAF) RSA ® Conference 2013.

The HyperText Transfer Protocol. History HTTP has been in use since 1990 (HTTP/0.9) HTTP/1.0 was defined in RFC 1945 (May 1996) and included metainformation.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. WEB.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Cross Site Integration “mashups” cross site scripting.

Host and Application Security Lesson 19: How the Web Works.

HTTP Hypertext Transfer Protocol

HTTP Hypertext Transfer Protocol RFC 1945 (HTTP 1.0) RFC 2616 (HTTP 1.1)

Proxy Lab Recitation I Monday Nov 20, 2006.

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.

Web Service Programming with WCF 3.5 Eyal Vardi CEO E4D Solutions LTD Microsoft MVP Visual C# blog:

HTTP1 Hypertext Transfer Protocol (HTTP) After this lecture, you should be able to:  Know how Web Browsers and Web Servers communicate via HTTP Protocol.

Lecture 6: Sun: 8/5/1435 Distributed Applications Lecturer/ Kawther Abas CS- 492 : Distributed system & Parallel Processing.

1-1 HTTP request message GET /somedir/page.html HTTP/1.1 Host: User-agent: Mozilla/4.0 Connection: close Accept-language:fr request.

Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.

Jan.2001C.Watters1 World Wide Web Basics. Jan.2001C.Watters2 What is an internet anyway? 2 or more networks that can communicate.

Appendix E: Overview of HTTP ©SoftMoore ConsultingSlide 1.

2: Application Layer 1 Chapter 2: Application layer r 2.1 Principles of network applications  app architectures  app requirements r 2.2 Web and HTTP.

Web Server Design Week 7 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/24/10.

RESTful Web Services What is RESTful?

1 10/19/05CS360 Windows Programming ASP.NET. 2 10/19/05CS360 Windows Programming ASP.NET  ASP.NET works on top of the HTTP protocol  Takes advantage.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Overview of Servlets and JSP

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 23 – Internet Applications Internet Directory.

© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.

HTTP Parsing Athula Balachandran Wolfgang Richter.

CSCE 548 Student Presentation Ryan Labrador

HTTP – An overview.

World Wide Web policy.

API Security Auditing Be Aware,Be Safe

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design

HTTP Hypertext Transfer Protocol

CSCI-351 Data communication and Networks

Presentation transcript:

Universal HTTP Denial-of-Service

About Hybrid Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound transactions Minimizing false rejects typical to signature-based solutions

How Would You Like Your Website? Slow or DEAD? Slowloris abuses handling of HTTP request headers ssslooowly… Written by RSnake Iteratively injects one custom header at a time and goes to sleep Web server vainly awaits the line space that will never come  Stuck in phase I forever. Kinda like Tron R-U-Dead-Yet? abuses HTTP web form fields Iteratively injects one custom byte into a web application post field and goes to sleep Application threads become zombies awaiting ends of posts till death lurks upon the website Stuck in phase II forever. Kinda like Tron sequels

SlowLoris According to HTTP RFC 2616: Request = Request-Line *(( general-header | request-header | entity-header ) CRLF) CRLF [ message-body ]

GET HTTP/1.1 Host: Connection: keep-alive User-Agent: Mozilla/5.0 X-a: b

SlowLoris DEMO

SlowLoris Mitigation

Patching Apache Use Apache Patch to moderate average timeout thresholds (Link at end of presentation)

According to SpiderLabs: ModSecurity >= Add directive: “SecReadStateLimit 5” Then ModSecurity Alerts like this: “ [Mon Nov 22 17:44: ] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from Possible DoS Consumption Attack [Rejected] ”

R-U-D-Y POST Host: victim.com Connection: keep-alive Content-Length: User-Agent: Mozilla/5.0 Cookie: __utmz= username=AAAAAAAAAAAAAAAAAAAAAAAAA… Vulnerability discovered by Tom Brennan and Wong Onn Chee:

R-U-D-Y DEMO

Waging War Upon SCADA

Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth

R-U-D-Y Mitigation Add directive: “RequestReadTimeout body=30” Add a rule: SecRule RESPONSE_STATUS 408“ \ "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip. \ slow_dos_counter=60" SecRule IP:SLOW_DOS_COUNTER 5“ \ "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high \ # of slow DoS alerts'"

Other (potential?) Attack Vectors Complex structures such as: SOAP, JSON, REST Encapsulated protocols such as: SIP, AJAX binary streams

Future Research Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input Use nested and/or broken data structures to detect server-side zombie behavior If we knew what it was we were doing, it would not be called research, would it? (Albert Einstein)

SlowLoris: Anti-SlowLoris Patch: Mitigation with ModSecurity: topic-of-the-week-mitigating-slow-http-dos- attacks.html topic-of-the-week-mitigating-slow-http-dos- attacks.html R.U.D.Y: Chapters In Web Security: Reference

Thank You