Hash-Flooding Dos Reloaded
Total Page:16
File Type:pdf, Size:1020Kb
Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article Jean-Philippe Aumasson, “Designing and attacking Kudelski Security (NAGRA) port scan detection tools” by Solar Designer (Alexander D. J. Bernstein, Peslyak) in Phrack Magazine: University of Illinois at Chicago & Technische Universiteit Eindhoven “In scanlogd, I’m using a hash table to lookup source addresses. Martin Boßlet, This works very well for the Ruby Core Team typical case ::: average lookup time is better than that of a binary search. ::: Hash-flooding DoS reloaded: Hash flooding begins? However, an attacker can attacks and defenses choose her addresses (most July 1998 article likely spoofed) to cause hash Jean-Philippe Aumasson, “Designing and attacking collisions, effectively replacing the Kudelski Security (NAGRA) port scan detection tools” hash table lookup with a linear by Solar Designer (Alexander D. J. Bernstein, search. Depending on how many Peslyak) in Phrack Magazine: University of Illinois at Chicago & entries we keep, this might make Technische Universiteit Eindhoven “In scanlogd, I’m using a hash scanlogd not be able to pick table to lookup source addresses. ::: Martin Boßlet, new packets up in time. I’ve This works very well for the Ruby Core Team solved this problem by limiting typical case ::: average lookup the number of hash collisions, and time is better than that of a discarding the oldest entry with binary search. ::: the same hash value when the limit is reached. Hash-flooding DoS reloaded: Hash flooding begins? However, an attacker can attacks and defenses choose her addresses (most July 1998 article likely spoofed) to cause hash Jean-Philippe Aumasson, “Designing and attacking collisions, effectively replacing the Kudelski Security (NAGRA) port scan detection tools” hash table lookup with a linear by Solar Designer (Alexander D. J. Bernstein, search. Depending on how many Peslyak) in Phrack Magazine: University of Illinois at Chicago & entries we keep, this might make Technische Universiteit Eindhoven “In scanlogd, I’m using a hash scanlogd not be able to pick table to lookup source addresses. ::: Martin Boßlet, new packets up in time. I’ve This works very well for the Ruby Core Team solved this problem by limiting typical case ::: average lookup the number of hash collisions, and time is better than that of a discarding the oldest entry with binary search. ::: the same hash value when the limit is reached. Hash-flooding DoS reloaded: Hash flooding begins? However, an attacker can attacks and defenses choose her addresses (most July 1998 article likely spoofed) to cause hash Jean-Philippe Aumasson, “Designing and attacking collisions, effectively replacing the Kudelski Security (NAGRA) port scan detection tools” hash table lookup with a linear by Solar Designer (Alexander D. J. Bernstein, search. Depending on how many Peslyak) in Phrack Magazine: University of Illinois at Chicago & entries we keep, this might make Technische Universiteit Eindhoven “In scanlogd, I’m using a hash scanlogd not be able to pick table to lookup source addresses. ::: Martin Boßlet, new packets up in time. I’ve This works very well for the Ruby Core Team solved this problem by limiting typical case ::: average lookup the number of hash collisions, and time is better than that of a discarding the oldest entry with binary search. ::: the same hash value when the limit is reached. Hash flooding begins? However, an attacker can choose her addresses (most July 1998 article likely spoofed) to cause hash “Designing and attacking collisions, effectively replacing the port scan detection tools” hash table lookup with a linear by Solar Designer (Alexander search. Depending on how many Peslyak) in Phrack Magazine: entries we keep, this might make “In scanlogd, I’m using a hash scanlogd not be able to pick table to lookup source addresses. new packets up in time. ::: I’ve This works very well for the solved this problem by limiting typical case ::: average lookup the number of hash collisions, and time is better than that of a discarding the oldest entry with binary search. ::: the same hash value when the limit is reached. Hash flooding begins? However, an attacker can This is acceptable for port scans choose her addresses (most (remember, we can’t detect July 1998 article likely spoofed) to cause hash all scans anyway), but might “Designing and attacking collisions, effectively replacing the not be acceptable for detecting port scan detection tools” hash table lookup with a linear other attacks. ::: It is probably by Solar Designer (Alexander search. Depending on how many worth mentioning that similar Peslyak) in Phrack Magazine: entries we keep, this might make issues also apply to things like “In scanlogd, I’m using a hash scanlogd not be able to pick operating system kernels. For table to lookup source addresses. new packets up in time. ::: I’ve example, hash tables are widely This works very well for the solved this problem by limiting used there for looking up active typical case ::: average lookup the number of hash collisions, and connections, listening ports, etc. time is better than that of a discarding the oldest entry with There’re usually other limits binary search. ::: the same hash value when the which make these not really limit is reached. dangerous though, but more research might be needed.” Hash flooding begins? However, an attacker can This is acceptable for port scans choose her addresses (most (remember, we can’t detect July 1998 article likely spoofed) to cause hash all scans anyway), but might “Designing and attacking collisions, effectively replacing the not be acceptable for detecting port scan detection tools” hash table lookup with a linear other attacks. ::: It is probably by Solar Designer (Alexander search. Depending on how many worth mentioning that similar Peslyak) in Phrack Magazine: entries we keep, this might make issues also apply to things like “In scanlogd, I’m using a hash scanlogd not be able to pick operating system kernels. For table to lookup source addresses. new packets up in time. ::: I’ve example, hash tables are widely This works very well for the solved this problem by limiting used there for looking up active typical case ::: average lookup the number of hash collisions, and connections, listening ports, etc. time is better than that of a discarding the oldest entry with There’re usually other limits binary search. ::: the same hash value when the which make these not really limit is reached. dangerous though, but more research might be needed.” Hash flooding begins? However, an attacker can This is acceptable for port scans choose her addresses (most (remember, we can’t detect July 1998 article likely spoofed) to cause hash all scans anyway), but might “Designing and attacking collisions, effectively replacing the not be acceptable for detecting port scan detection tools” hash table lookup with a linear other attacks. ::: It is probably by Solar Designer (Alexander search. Depending on how many worth mentioning that similar Peslyak) in Phrack Magazine: entries we keep, this might make issues also apply to things like “In scanlogd, I’m using a hash scanlogd not be able to pick operating system kernels. For table to lookup source addresses. new packets up in time. ::: I’ve example, hash tables are widely This works very well for the solved this problem by limiting used there for looking up active typical case ::: average lookup the number of hash collisions, and connections, listening ports, etc. time is better than that of a discarding the oldest entry with There’re usually other limits binary search. ::: the same hash value when the which make these not really limit is reached. dangerous though, but more research might be needed.” However, an attacker can This is acceptable for port scans choose her addresses (most (remember, we can’t detect likely spoofed) to cause hash all scans anyway), but might collisions, effectively replacing the not be acceptable for detecting hash table lookup with a linear other attacks. ::: It is probably search. Depending on how many worth mentioning that similar entries we keep, this might make issues also apply to things like scanlogd not be able to pick operating system kernels. For new packets up in time. ::: I’ve example, hash tables are widely solved this problem by limiting used there for looking up active the number of hash collisions, and connections, listening ports, etc. discarding the oldest entry with There’re usually other limits the same hash value when the which make these not really limit is reached. dangerous though, but more research might be needed.” However, an attacker can This is acceptable for port scans Review of classic hash tables choose her addresses (most (remember, we can’t detect Choose ` 2 f1; 2; 4; 8; 16;:::g. likely spoofed) to cause hash all scans anyway), but might collisions, effectively replacing the not be acceptable for detecting Hash table: ` separate linked lists. hash table lookup with a linear other attacks. ::: It is probably Store string s in list #i search. Depending on how many worth mentioning that similar where i = H(s) mod `. entries we keep, this might make issues also apply to things like With n entries in table, scanlogd not be able to pick operating system kernels. For expect n=` entries ::: new packets up in time. I’ve example, hash tables are widely in each linked list. solved this problem by limiting used there for looking up active Choose ` n: the number of hash collisions, and connections, listening ports, etc. expect very short linked lists, discarding the oldest entry with There’re usually other limits so very fast list operations. the same hash value when the which make these not really n limit is reached. dangerous though, but (What if becomes too big? ` ` more research might be needed.” Rehash: replace by 2 .) However, an attacker can This is acceptable for port scans Review of classic hash tables choose her addresses (most (remember, we can’t detect Choose ` 2 f1; 2; 4; 8; 16;:::g.