Universal

HTTP
Denial-of-Service

About Hybrid
Creating web-business-logic security
Doing cool stuff in AI research
Optimizing acceptance rate for Web-bound
transactions
Minimizing false rejects typical to signature-based
solutions

How Would You Like Your Website?

Slow or DEAD?

Slowloris abuses handling of

HTTP request headers ssslooowly
Written by RSnake
Iteratively injects one custom header at a
time and goes to sleep
Web server vainly awaits the
line space that will never come
Stuck in phase I forever. Kinda like Tron

R-U-Dead-Yet? abuses HTTP

web form fields
Iteratively injects one custom byte
into a web application post field
and goes to sleep
Application threads become
zombies awaiting ends of posts
till death lurks upon the website
Stuck in phase II forever.
Kinda like Tron sequels

SlowLoris
According to HTTP RFC 2616:
Request

= Request-Line
*(( general-header
| request-header
| entity-header ) CRLF)
CRLF
[ message-body ]

SlowLoris
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b

SlowLoris

DEMO

SlowLoris Mitigation

Patching Apache
Use Apache Patch
to moderate average timeout thresholds
(Link at end of presentation)

According to SpiderLabs:
ModSecurity >=2.5.13
Add directive: SecReadStateLimit 5
Then ModSecurity Alerts like this:
[Mon Nov 22 17:44:46 2010] [warn]
ModSecurity: Access denied with code 400.
Too many connections [6] of 5 allowed in READ
state from 211.144.112.20 Possible DoS Consumption Attack [Rejected]

R-U-D-Y
Vulnerability
POST
http://victim.com/
discovered by Tom Brennan
Host:Wong
and
victim.com
Onn Chee:
Connection:
keep-alive
http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
username=AAAAAAAAAAAAAAAAAAAAAAAAA

R-U-D-Y

DEMO

Waging War Upon SCADA

Waging War Upon SCADA

Stuxnet operated from within Irans nuclear
facilities to tamper with uranium-enrichment
centrifuges
R-U-D-Y integrated with SHODANs API
could allow automatic location and
disruption of Web-facing SCADA controllers
from any anonymous location on Earth

R-U-D-Y Mitigation
Add directive: RequestReadTimeout body=30
Add a rule:
SecRule RESPONSE_STATUS "@streq 408 \
"phase:5,t:none,nolog,pass, \
setvar:ip.slow_dos_counter=+1,expirevar:ip. \
slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5 \
"phase:1,t:none,log,drop, \
msg:'Client Connection Dropped due to high \
# of slow DoS alerts'"

Other (potential?) Attack Vectors

Complex structures such as: SOAP, JSON, REST
Encapsulated protocols such as: SIP, AJAX binary
streams

Future
Research
Use a protocol fuzzer such as
PEACH or SPIKE to explore the entropy of
HTTP RFC-compliant input
Use nested and/or broken data structures to
detect server-side zombie behavior
If we knew what it was we were doing,
it would not be called research, would it?
(Albert Einstein)

Reference
SlowLoris:
http://ha.ckers.org/slowloris/
Anti-SlowLoris Patch:
http://synflood.at/tmp/anti-slowloris.diff
Mitigation with ModSecurity:
http://blog.spiderlabs.com/2010/11/advancedtopic-of-the-week-mitigating-slow-http-dosattacks.html
R.U.D.Y:
http://hybridsec.com/tools/rudy/
Chapters In Web Security:
http://chaptersinwebsecurity.blogspot.com

Thank You
raviv@hybridsec.com