Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hash Table Bug Enables Wide-Scale DDoS Attacks

wiredmikey (1824622) writes | more than 2 years ago

Network 2

wiredmikey (1824622) writes "Several vendors are working to resolve a hash collision vulnerability, which if exploited can trigger a denial-of-service condition on multiple platforms.

Hash tables are a commonly used data structure in most programming languages. Web application servers or platforms commonly parse attacker-controlled POST form data into hash tables automatically, so that they can be accessed by application developers.

The vulnerability has been discovered to impact PHP 5, Java, .NET, and Google’s v8, while PHP 4, Ruby, and Python are somewhat vulnerable.

At issue is the POST function, which can be perverted to trigger the DDoS, if targeted on a massive scale, or DoS if targeted from a single source.
According to n.runs AG, the research firm who discovered the issue, Any website running one of the above technologies which provides the option to perform a POST request is vulnerable to very effective DoS attacks.

As the attack is just a POST request, it could also be triggered from within a (third-party) website. This means that a cross-site-scripting vulnerability on a popular website could lead to a very effective DDoS attack.

The Ruby security team has addressed the issue, as well as Tomcat. Oracle says nothing needs to be done, and Microsoft has issued an advisory on the problems within ASP.NET."

Link to Original Source

cancel ×

2 comments

Sorry! There are no comments related to the filter you selected.

So what? (0)

Anonymous Coward | more than 2 years ago | (#38522526)

From Wikipedia: "most hash table designs assume that hash collisions—different keys that map to the same hash value—will occur and must be accommodated in some way", so from what I can tell the attacker barrages the target with a page chock full of identical POST fields. Erm... is is just me or is this rather unremarkable? So maybe each request takes a fraction of a second longer than otherwise because of identical POST fields, but wouldn't this only be a problem if you were being attacked from a million different sources? in which case how is it any different to an ordinary dos attack? servers with enough traffic that this would be a problem would surely trigger anti-ddos measures after the first 10,000 hits or so from the same ip address (you can do with with iptables or probably one of those fancy expensive cisco load balancing firewall thingys). if php can build more effective dos prevention into their framework, i'm all for it, but i must admit i don't really see what all the hype is about. the possibility of a denial of service attack is a natural part of planning any hosting platform exposed to the big bad interweb... in the same bucket as being hacked. you hope for the best, plan for the worst.

Re:So what? (1)

wiredmikey (1824622) | more than 2 years ago | (#38522572)

It's different because a single system can essentially conduct a successful DoS attack. The POST function can be perverted to trigger the DDoS, if targeted on a massive scale, or DoS if targeted from a single source.

From the article:

“This isn’t your average DoS attack because it doesn’t take a botnet or a lot of coordination to take a web server down. Most DoS attacks rely on a huge number of small requests targeted at a specific web server to overwhelm it. In this case, a single request can consume a single core for 90 seconds. Queue up a few of these requests every few minutes and the site will be essentially knocked offline.”

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?