Websites & apps at DoS risk

4/6/2012 2:49:14 PM

Description: DDoS Attacks

Hackers aemed with a single PC and a minimal broadband connection can ripple web servers, putting a huge number of websites and apps at risk. Gregg Keizer explains

Security researchers recently revealed a vulnerability in the handling of hash tablets by programming languages that puts sites and apps at risk of a denial of service (DoS) attack. Microsoft, whose ASP.Net programming language is one of several affected, quickly shipped an out of band update,designated ‘MS11-100’.

The problem exists in many of the web’s most popular app and site programming languages, including ASP.Net, PHP, Ruby, Java and V8 JavaScript, according to researchers Alex Klink and Julian Walde.

Klink and Walde traced the flaw to the handing of hash tables, a programming structure used to store and retrieve data.

Unless a language randomizes hash functions or takes into account ‘hash collisions’ (when multiple data generates the same hash), attackers can calculate the data that will trigger large numbers of collisions, then send that data as a simple http request. Because each collision chews up processing cycles on the targeted server, a hacker using relatively small attack packets could consume all the processing power of even well-equipped servers.

Microsoft confirmed that a single 100k http request sent to a server running ASP.Net could consume 100 percent of a CPU core for 90-110 seconds.

“An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a DoS condition for even multi-core servers or clusters of servers,” company engineers Suha Can and Jonathan Ness said in a blog.

Klink and wale estimated that packets as small as 6k would keep a single core processor busy on a Java server.

The implications are significant for web apps and sites that run on those servers.

Small-scale attacks with huge impact

“An attacker with little resources can effectively take out a site fairly easily,” said Andrew Storms, director of security operations at nCircle Security. “No botnet is required to create havoc here.”

Microsoft’s rush to patch the flaw in ASP.Net hinted at the seriousness of the bug. Can and Ness said the firm “anticipates the imminent public release of exploit code”, and urged customers to apply the patch.

Other programming language developers have already offered fixes for their software. Ruby, for instance, has issued an update that includes a new randomized hash function, while PHP has shipped a release candidate for version 5.4.0.

Some, however, will take their time implementing a fix, said Klink and Walde.

Oracle told them there wasn’t anything to patch in Java itself, but said it would update the GlassFish Java server software with a future fix.

Klink and Walde credited another pair of researchers Scott Crosby and Dan Wallach for outlining the attack vector in 2003, and applauded the Perl programming language for patching its flaw then. Meanwhile, they chastised other vendors for not tackling the problem years ago.

“I’d have to agree that we all expected vendors to have fixed this by now,” said Storms. “On the other hand, there’s a lot of research out there and it’s not always possible to be on top of everything. It’s not as though this kind of attack has been ongoing in the wild since 2003 and everyone refused to fix it.”

Klink and Walde reported their research to the Open Source Computer Security Incident Response Team in September. The organization contacted the various vendors responsible for the affected languages.

The patch from Microsoft was its only out of band update in 2011 and Storms, who had only recently praised the company for not having to go out of band, noted that he had at the time issued a caveat. “I did say at the December Patch Tuesday that it had a few weeks to go before the year was over,” he said in an instant message.

Microsoft delivered MS11-100 via its usual Windows Update and Windows Server Update Service (WSUS) channels.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone
Visit movie_stars's profile on Pinterest.