1. Universal HTTP Denial-of-Service

2. About Hybrid Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound transactions Minimizing false rejects typical to signature-based solutions

4. How Would You Like Your Website? Slow or DEAD? Slowloris abuses handling of HTTP request headers ssslooowly… Written by RSnake Iteratively injects one custom header at a time and goes to sleep Web server vainly awaits the line space that will never come  Stuck in phase I forever. Kinda like Tron R-U-Dead-Yet? abuses HTTP web form fields Iteratively injects one custom byte into a web application post field and goes to sleep Application threads become zombies awaiting ends of posts till death lurks upon the website Stuck in phase II forever. Kinda like Tron sequels

5. SlowLoris According to HTTP RFC 2616: Request = Request-Line *(( general-header | request-header | entity-header ) CRLF) CRLF [ message-body ]

6. GET http://www.google.com/ HTTP/1.1 Host: www.google.com Connection: keep-alive User-Agent: Mozilla/5.0 X-a: b

7. SlowLoris DEMO

8. SlowLoris Mitigation

9. Patching Apache Use Apache Patch to moderate average timeout thresholds (Link at end of presentation)

10. According to SpiderLabs: ModSecurity >=2.5.13 Add directive: “SecReadStateLimit 5” Then ModSecurity Alerts like this: “ [Mon Nov 22 17:44:46 2010] [warn] ModSecurity: Access denied with code 400. Too many connections [6] of 5 allowed in READ state from 211.144.112.20 - Possible DoS Consumption Attack [Rejected] ”

11. R-U-D-Y POST http://victim.com/ Host: victim.com Connection: keep-alive Content-Length: 1000000 User-Agent: Mozilla/5.0 Cookie: __utmz=181569312.1294666144.1.1 username=AAAAAAAAAAAAAAAAAAAAAAAAA… Vulnerability discovered by Tom Brennan and Wong Onn Chee: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf

12. R-U-D-Y DEMO

13. Waging War Upon SCADA

14. Stuxnet operated from within Iran’s nuclear facilities to tamper with uranium-enrichment centrifuges R-U-D-Y integrated with SHODAN’s API could allow automatic location and disruption of Web-facing SCADA controllers from any anonymous location on Earth

15. R-U-D-Y Mitigation Add directive: “RequestReadTimeout body=30” Add a rule: SecRule RESPONSE_STATUS "@streq 408“ \ "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip. \ slow_dos_counter=60" SecRule IP:SLOW_DOS_COUNTER "@gt 5“ \ "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high \ # of slow DoS alerts'"

16. Other (potential?) Attack Vectors Complex structures such as: SOAP, JSON, REST Encapsulated protocols such as: SIP, AJAX binary streams

17. Future Research Use a protocol fuzzer such as PEACH or SPIKE to explore the entropy of HTTP RFC-compliant input Use nested and/or broken data structures to detect server-side zombie behavior If we knew what it was we were doing, it would not be called research, would it? (Albert Einstein)

18. SlowLoris: http://ha.ckers.org/slowloris/ http://ha.ckers.org/slowloris/ Anti-SlowLoris Patch: http://synflood.at/tmp/anti-slowloris.diff http://synflood.at/tmp/anti-slowloris.diff Mitigation with ModSecurity: http://blog.spiderlabs.com/2010/11/advanced- topic-of-the-week-mitigating-slow-http-dos- attacks.html http://blog.spiderlabs.com/2010/11/advanced- topic-of-the-week-mitigating-slow-http-dos- attacks.html R.U.D.Y: http://hybridsec.com/tools/rudy/ http://hybridsec.com/tools/rudy/ Chapters In Web Security: http://chaptersinwebsecurity.blogspot.com http://chaptersinwebsecurity.blogspot.com Reference

19. raviv@hybridsec.com Thank You