This is a creation in Article, where the information may have evolved or changed.
This is by far the first to let me feel scared attack way, involving a wide range of difficult to defend, the attack effect is immediate. A large number of Web sites and web interfaces have not done the defense of hash collision attacks, one to take a quasi.
With the popularity of restful interfaces, programmers use JSON as a way to pass data by default. JSON format of data redundancy, high compatibility, from the proposed to the present has been widely used, can be said to become a Web standard. No matter what language we use on our server, we need to do Jsondecode () after we get the data in JSON format, convert the JSON string to JSON object, and the object will be stored in hash table by default, and hash table can be easily attacked by collision. As long as I put the attack data in JSON, the server program is Jsondecode (), the CPU will immediately soar to 100%. A 16-core cpu,16 request can achieve a DOS goal.
All of the test programs are under Mac Pro, so I've built only 65,536 JSON key-value pairs for testing purposes, and can construct hundreds of thousands of or even millions data when a real attack is initiated.
A few simple demos
Attack data I have converted to JSON format
The JSON data used to attack
Normal JSON data
Hash attack data used to attack Java
One. JavaScript test
//只需要一行代码就能看到效果var jsonSrc = '这里输入json数据';
We only need to enter a line of code in JS to see the effect, the normal data and hash attack data are 65536 line key value pairs. The effect of my local test is as follows:
With Chrome's task Manager, you can see that the CPU horse is up to 100%, almost 1 minutes to complete, and the normal data can be done in milliseconds.
Two. PHP Testing
$json = file_get_contents("https://raw.githubusercontent.com/laynefyc/php_thread_demo/master/hashNomal.json");$startTime = microtime(true);$arr = json_decode($json,true);$endTime = microtime(true);echo "Nomal:".($endTime - $startTime)."\r\n";$json = file_get_contents("https://raw.githubusercontent.com/laynefyc/php_thread_demo/master/hash.json");$startTime = microtime(true);$arr = json_decode($json,true);$endTime = microtime(true);echo "Attack:".($endTime - $startTime)."\r\n";
In PHP we use file_get_contents remote to get data, run a comparison of time, the difference of more than 10 seconds, PHP-FPM single process consumes CPU 100%.
Three. Java Testing
public String index(){ String jsonStr = ""; try { FileReader fr = new FileReader("t.log");//需要读取的文件路径 BufferedReader br = new BufferedReader(fr); jsonStr = br.readLine(); br.close(); fr.close(); //关闭文件流 }catch(IOException e) { System.out.println("指定文件不存在");//处理异常 } Map<String, Object> map = new HashMap<String, Object>(); map = JSONObject.fromObject(jsonStr); return "Hash Collision ~";}
In Java we do the test by reading the file, Java hash algorithm is slightly different from PHP and JavaScript, but similar, we also construct 60,000 rows of simple data. A browser in the Spring boot framework initiates a visit that returns results after 26 seconds and the CPU is full.
Four. Other languages are still under study ...
Hashtable is a very general data structure, the structure and algorithm specifically has a lesson for it, so hash collision is ubiquitous, each language in the implementation is only the hash algorithm and table storage there are subtle differences.
In order to verify that the Java hash collision attack also takes effect, my entire Dragon Boat Festival holiday is looking at the Java Hashtable related article, through the effort finally still successfully generated the attack data. The process is very simple, which also validates the idea that all the tall stuff is finally broken down to be the basic data structure knowledge.
How to attack
A few years ago the PHP version was 5.2, and we could put all the hash keys in the body of the post request, such as:
Https://www.test.com/create-account
Post data:k1=0&k2=0&k3=0...k999998=0&k999999=0
When the server gets the data, it will store all the parameters in the hash Table ($_post), which can be easily implemented in this way. But now that doesn't work, because it's easy to limit the number and size of HTTP requests in the NGINX layer and PHP layer. PHP only allows 1000 parameters by default, and this magnitude has no effect on the server at all.
Now it's 2017, the JSON format and the RESTful interface are already very popular. It gives us the convenience of coding, but also gives a new way to hash collision dos. Now many of the restful style interfaces are as follows:
Https://www.test.com/v1
Data: {"action": "Create-account", "Data": ""}
As on the interface, we directly put the attack data into the parameters of data, the server will definitely do Jsondecode () after receiving the information, it is very convenient to achieve the purpose of the attack.
How to Defend
To defend against Hash collision Dos attacks, there are already many mature programs in the industry, but it is recommended to change the language or rewrite the Hashtable. Only the current JSON format parsing problem is mentioned here. First we need to increase the authorization verification, the maximum possible jsondecode () before the illegal user rejected. Second, do the data size and parameter whitelist validation before Jsondecode (). Renovation and maintenance costs of old projects if it is high, it is recommended that you rewrite the Jsondecode () method yourself.
Not to be continued
Having written so much, the most fun part is how to generate attack data. Then I will write this part in detail. Finally, can golang and Python dodge the hash collision DOS test? Please expect
More related articles please visit my blog-original link: A high-level Dos attack-hash collision attack