An Advanced DoS attack-Hash collision attack and dos-hash collision
Original article link
This is the first attack method I have been afraid of so far. It is difficult to defend against a wide range of attacks, and the attack effect is immediate. A large number of websites and Web interfaces do not defend against Hash collision attacks.
With the popularization of RESTful APIs, programmers use json as the data transmission method by default. Json format has low data redundancy and high compatibility. It has been widely used since it was proposed and has become a Web standard. No matter what language we use on the server side, after we get the data in json format, We Need To Do jsonDecode () to convert the json string into a json object, and the object is stored in the Hash Table by default, however, Hash tables are prone to collision attacks. I only need to put the attack data in json, and the server program will definitely be a hit when doing jsonDecode (), and the CPU will soar to 100% immediately after the middle recruit. With a 16-core CPU, 16 requests can achieve DoS.
All the test programs are carried out in Mac Pro. To facilitate the test, I only constructed 65536 json key-value pairs. When an attack is initiated, I can construct hundreds of thousands or even millions of data.
Several Simple demos
Attack data I have converted to json format
I. JavaScript Testing
// You only need a line of code to see the result var jsonSrc = 'input json data here ';
We only need to enter a line of code in js to see the effect. Common Data and Hash attack data are both 65536 row key-value pairs. My local test results are as follows:
The task manager provided by Chrome shows that the CPU is immediately increased to 100%, which takes nearly one minute to complete, while the general data can be executed in milliseconds;
Ii. PHP Testing
$json = file_get_contents("https://raw.githubusercontent.com/laynefyc/php_thread_demo/master/hashNomal.json");$startTime = microtime(true);$arr = json_decode($json,true);$endTime = microtime(true);echo "Nomal:".($endTime - $startTime)."\r\n";$json = file_get_contents("https://raw.githubusercontent.com/laynefyc/php_thread_demo/master/hash.json");$startTime = microtime(true);$arr = json_decode($json,true);$endTime = microtime(true);echo "Attack:".($endTime - $startTime)."\r\n";
In PHP, we use file_get_contents to remotely fetch data and compare the running time. The difference is more than 10 seconds. A single php-fpm process occupies 100% of the CPU.
Iii. Java Testing
Public String index () {String jsonStr = ""; try {FileReader fr = new FileReader ("t. log "); // file path to be read BufferedReader br = new BufferedReader (fr); jsonStr = br. readLine (); br. close (); fr. close (); // close the file stream} catch (IOException e) {System. out. println ("the specified file does not exist"); // handle exceptions} Map <String, Object> map = new HashMap <String, Object> (); map = JSONObject. fromObject (jsonStr); return "Hash Collision ~ ";}
In Java, we perform tests by reading files. Java's Hash algorithm is slightly different from PHP and JavaScript, but it is similar. We also constructed 60 thousand lines of simple data. In the Spring boot framework, the browser initiates an access request and returns the result 26 seconds later. During this period, the CPU is fully occupied.
4. Other languages are still under study ......
HashTable is a common data structure. There is a dedicated course on data structures and algorithms, so Hash Collision is common, the implementation of each language is only slightly different from the hash algorithm and Table Storage.
To verify that Java's Hash collision attack also takes effect, I have been reading articles related to Java HashTable throughout the Dragon Boat Festival holiday, and finally successfully generated attack data. The process is not simple, and it also verifies the idea that all high-level things are finally decomposed into basic data structure knowledge.
How to attack
PHP version 5.2 a few years ago, we can put all Hash keys in the Body of the POST request, for example:
https://www.test.com/create-account
Post Data: k1=0&k2=0&k3=0...k999998=0&k999999=0
After the server obtains the data, it stores all the parameters in the Hash Table ($ _ POST), which facilitates attacks. But now this method does not work, because we can easily limit the number and size of Http request parameters at the Nginx and PHP layers. By default, PHP only allows 1000 parameters. This magnitude has no impact on the server.
Now in 2017, interfaces in json format and RESTful style are very popular. While providing us with convenient encoding, Hash Collision Dos also provides a new method. Many RESTful APIs are as follows:
https://www.test.com/v1
Data: {"action":"create-account","data":""}
The above interface directly puts the attack data into the data parameter. After the server receives the data, jsonDecode () will definitely be executed, which is very convenient to achieve the purpose of the attack.
How to defend
To defend against Hash Collision Dos attacks, there are already many mature solutions in the industry. However, we recommend that you change your language or rewrite HashTable. Here we only discuss the current json Format Parsing problem. First, we need to add permission verification to deny illegal users before jsonDecode. Second, verify the data size and parameter whitelist before jsonDecode. If the transformation and maintenance costs of the old project are high, we recommend that you rewrite the jsonDecode () method by yourself.
To be continued
After writing so much, the most interesting part is how to generate attack data. I will write this part in detail later. Finally, can Golang and Python escape the Hash Collision Dos test? Coming soon
Original article link