Slow read server vulnerabilities
Greetings.
I want to tell you what I indulged in in my spare time from working in Qualys. Since there is surprisingly a lot of noise on the English-language Internet about the Slow Read DoS attack, and I am sure that I will receive here a lot of useful criticism and practical suggestions.
In August 2011, I wrote a program called slowhttptest that tests web servers for vulnerabilities related to processing slow HTTP requests, such as slowloris and slow HTTP Post. The goal is to create a configurable tool that facilitates the work of developers and allow them to concentrate on creating effective defenses, not picking python, on which most proof-of-concept exploits are written.
And then I decided to try how the servers react to slow reading by clients of HTTP responses. Surprisingly bad react. Default apache, nginx, lightpd, IIS refuse to service with a bang.
')
And the essence is:
if you find a resource on a web server that is larger than send buffer-a, which the kernel allocated for the connection, to which the server program sends the resource, then if you force the kernel not to accept all the data, the server will try to send the remaining piece of data, occupying the limited in size the queue of connections, processor time, memory, and free time of the system administrator. If you block the entire queue with such connections, the server will, accordingly, begin to deny service to fast clients.
Making the core behave this way is quite simple and was described as early as 2008 by the guys from Outpost24 in the Sockstress method: for example, sending a TCP window size equal to 0, i.e. the client has no place to receive data. The TCP design correctly implies that the application, rather than the kernel, is required to control slow and dead connections. However, for 4 years, no one raised a finger.
Sockstress manually creates packets, calculates when to send another confirmation in order not to reset the persist timer on the server, it is difficult to make it shorter.
My student is even able to put my method into practice:
Create a socket, set a relatively small size of receive buffer on the client, send a completely holistic and normal HTTP request for a picture of 100Kb in size, for example. The server takes a picture from memory, gives the kernel to transfer it to the network. The server takes a piece of the picture and sends, the client takes the first thousand bytes, and says stop, there is no place. The server polls a socket, trying to figure out when it will be ready to write, but it is not ready! Once a minute, read a couple of bytes from the client's receive buffer so that the TCP stack sends something different from zero, thereby creating the appearance of a live connection for firewalls and IDS.
That's all. Please do not kick much, the first technical post in Russian, but Habr like, did not hesitate. A detailed description can be found here .
PS For the previous version, slowhttptest wrote the wiki in Russian, if at least one soul is interested, I will translate it for the new version.
Update:
ModSecurity hurry up, show in detail how to defend:
Denial of Service Attack: Modify Security Advanced Topic of the Week
Update 2:
Semy pointed to build errors on BSD. Fixed in svn.
I want to tell you what I indulged in in my spare time from working in Qualys. Since there is surprisingly a lot of noise on the English-language Internet about the Slow Read DoS attack, and I am sure that I will receive here a lot of useful criticism and practical suggestions.
In August 2011, I wrote a program called slowhttptest that tests web servers for vulnerabilities related to processing slow HTTP requests, such as slowloris and slow HTTP Post. The goal is to create a configurable tool that facilitates the work of developers and allow them to concentrate on creating effective defenses, not picking python, on which most proof-of-concept exploits are written.
And then I decided to try how the servers react to slow reading by clients of HTTP responses. Surprisingly bad react. Default apache, nginx, lightpd, IIS refuse to service with a bang.
')
And the essence is:
if you find a resource on a web server that is larger than send buffer-a, which the kernel allocated for the connection, to which the server program sends the resource, then if you force the kernel not to accept all the data, the server will try to send the remaining piece of data, occupying the limited in size the queue of connections, processor time, memory, and free time of the system administrator. If you block the entire queue with such connections, the server will, accordingly, begin to deny service to fast clients.
Making the core behave this way is quite simple and was described as early as 2008 by the guys from Outpost24 in the Sockstress method: for example, sending a TCP window size equal to 0, i.e. the client has no place to receive data. The TCP design correctly implies that the application, rather than the kernel, is required to control slow and dead connections. However, for 4 years, no one raised a finger.
Sockstress manually creates packets, calculates when to send another confirmation in order not to reset the persist timer on the server, it is difficult to make it shorter.
My student is even able to put my method into practice:
Create a socket, set a relatively small size of receive buffer on the client, send a completely holistic and normal HTTP request for a picture of 100Kb in size, for example. The server takes a picture from memory, gives the kernel to transfer it to the network. The server takes a piece of the picture and sends, the client takes the first thousand bytes, and says stop, there is no place. The server polls a socket, trying to figure out when it will be ready to write, but it is not ready! Once a minute, read a couple of bytes from the client's receive buffer so that the TCP stack sends something different from zero, thereby creating the appearance of a live connection for firewalls and IDS.
That's all. Please do not kick much, the first technical post in Russian, but Habr like, did not hesitate. A detailed description can be found here .
PS For the previous version, slowhttptest wrote the wiki in Russian, if at least one soul is interested, I will translate it for the new version.
Update:
ModSecurity hurry up, show in detail how to defend:
Denial of Service Attack: Modify Security Advanced Topic of the Week
Update 2:
Semy pointed to build errors on BSD. Fixed in svn.
Source: https://habr.com/ru/post/135817/
All Articles