Hash Collisions : Prepare for DoS @ its best

[Christy]

Here's the bottom line:

In this case, a single request (specially crafted, 100KB HTTP request) can consume a single core for 90-110 seconds.Queue up a few of these requests every few minutes and the site will be essentially knocked offline.
PHP 5, Java, ASP.NET as well as V8 are fully vulnerable to this issue and PHP 4, Python and Ruby are partially vulnerable, depending on version or whether the server running the code is a 32-bit or 64-bit machine.

If that caught your eye,Check out:

Authors Presentation and Analysis: http://events.ccc.de/congress/2011/F...s/4680.en.html

Video Demo:
http://mirror.fem-net.de/CCC/28C3/mp...forms_h264.mp4
Online localhost demo:
http://koto.github.com/blog-kotowicz-net-examples/hashcollision/kill.html
Scripts :
https://github.com/koto/blog-kotowic.../hashcollision
Advisories & Disclosure:
http://www.ocert.org/advisories/ocert-2011-003.html
http://permalink.gmane.org/gmane.comp.security.full-disclosure/83694
http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx
http://technet.microsoft.com/en-us/security/advisory/2659883

CounterMeasures:

1.) Limiting the number of different HTTP request parameters (PHP, Tomcat)
2.) Limiting HTTP POST and GET request lengths (Microsoft ASP.NET)

Pwn3D 8y 7Ru7H
Clink & Walde

[Raymond]

Thanks for the information.
I guess this is why DDoS mitigation service is so expensive.
They constantly need to update and tweak their filters to block DDoS and DoS attacks yet able to identify real traffic.

[Bearcat]

Thanks for the info Christy.

[INDRANIL]

Informative one, keep up the good share mate .