"Reprint" Network Attack Technology (III)--denial of Service & hash Related & PHP language & Java language

Found the original of this series

Http://www.cnblogs.com/rush/archive/2012/02/05/2339037.html

Recently, network security has become a focal point, in addition to the security events of plaintext passwords in China, there is one more thing that affects the larger--hash collision DoS (Denial-of-service attacks through Hash collisions),
A malicious person will make your server run a huge slowdown through this security flaw, and what is the way to make the server incredibly slow? How do we protect against Dos attacks? This article will give a detailed introduction.

This one is more closely related to hash.

First, when a hash conflict occurs, we can resolve the conflict using a conflict resolution, and the primary hash conflict resolution is as follows:

Open Address method: Find position in the original hash space. Re-hash Chaining address method: Opens a new linked list to store new content. Create a public overflow zone

The difference between the above open address method and the link address method can be viewed http://blog.csdn.net/w_fenghui/article/details/2010387

Attention:

. NET is to use the first strategy to solve the hash conflict, which locates the collision data in other slots according to some principle.

PHP is used to store collisions with single-linked lists, so the average lookup complexity of PHP hash tables is O (l), where L is the average length of the bucket list, and the worst-case complexity is O (N), when all the data collide, and the hash table degenerate into a single-linked list. is a normal hash table in PHP and a degenerate hash table.

The hashing algorithm used by mainstream programming languages now is DJB (djbx33a), and the Namevaluecollection.gethashcode () method in. NET is to use the DJB algorithm. the core of the DJB algorithm is to calculate the hash value by multiplying the hash value (Key) by 33 (that is, by moving the 5 bits to the left, plus the hash value) , then let's take a look at the implementation of the DJB algorithm!

    UINT hash = 5381;    for (int i = 0; i < value. Length; i++)    {        //The value of (hash << 5) + hash) the same as         //The value of the hash *.        hash = ((hash << 5) + hash) + value[i];    }

Attacks against hashes:

Through the previous introduction. NET in the GetHashCode () method, now we have a preliminary understanding of the implementation of the algorithm,
The principle of hash conflict is to construct the data for the specific hashing algorithm, so that all the data collide.

Here we use a simple method to construct the conflict data-brute force method. (Low efficiency)

Due to the low efficiency of the brute force method, we use a more efficient method of meeting the collision (Meet-in-the-middle attack) or equivalent substring (equivalent substrings) to construct the conflicting data.

Equivalent substring:

When the hash value of the two string conflicts, for example: hash ("string1") =Hash ("string2"), then the string consisting of the two substrings in the same position also has a hash conflict, assuming that "EZ" and "FY" conflict in the hash function, then the string " Ezez "," Ezfy "," Fyez "," Fyfy "22 also clashed. Example: http://koto.github.io/blog-kotowicz-net-examples/hashcollision/kill.html

Midway encounter Attack:

Divided into two sections, first specify the front, and the final hash, and then construct the back. Actually, I don't know how to read it. The article has.

Summarize:

When sending a POST request, a large number of repeated hash post parameters, so that the opponent's hash algorithm always conflict, and then crash. The above is my understanding.

About why hash collisions can produce Dos attacks can be combined with the following article:

http://blog.jobbole.com/11516/

A hash table is a very efficient data structure, and many languages implement a hash table internally. A hash table in PHP is an extremely important data structure that is not only used to represent the array data type,
It is also used inside the Zend virtual machine to store contextual information (variables and functions that execute context are stored using the hash table structure). PHP Hash Table minimum capacity is 8 (2^3), the maximum capacity is 0x80000000 (2^31), and to 2 of the full number of power round (that is, the length will automatically expand to 2 of the whole power, such as 13 elements of the hash table length is 16;
1, which is closely related to the hashing algorithm, which is detailed later when discussing the hashing algorithm.

Zend Hashtable's hashing algorithm is exceptionally simple: HashKey = key & Ntablemask; If key is a string, the TIME33 algorithm is used first, then the integer type is processed. (The TIME33 algorithm is described earlier)

Basic attack

As mentioned above, the length of the Zend Hashtable ntablesize will be rounded to an integer power of 2, assuming we construct a 2^16 hash table,
The ntablesize binary representation is: 1 0000 0000 0000 0000, while ntablemask = ntablesize–1 is: 0 1111 1111 1111 1111.
Next, you can use 0 as the initial value, with 2^16 as the step size, to produce enough data, you can get the following speculation:0000 0000 0000 0000 0000 & 0 1111 1111 1111 1111 = 00001 0000 0000 00 XX 0000 & 0 1111 1111 1111 1111 = 00010 0000 0000 0000 0000 & 0 1111 1111 1111 1111 = 00011 0000 0000 0000 0000 &A mp 0 1111 1111 1111 1111 = 00100 0000 0000 0000 0000 & 0 1111 1111 1111 1111 = 0
In general terms, as long as the 16 bits are guaranteed to be 0, then the hash value after the mask is located is all colliding at position 0.

Example of an attack code:

<?  = POW (2, += Microtime (true= Array ();  for ($key = 0, $maxKey = ($size-1) * $size; $key <= $maxKey; $key + = $size )    {=0 = microtime (tr UE-$startTime, ' seconds ', ' \ n ';

The author says it took nearly 88 seconds to complete, and CPU resources were almost exhausted during this time.

The normal hash insertion, like Next, takes only 0.036 seconds.

<?  = POW (2, += Microtime (true= Array ();  for ($key = 0, $maxKey = ($size-1) * $size; $key <= $size; $key + 1) {    = 0= microtime (true-$startTime, ' seconds ', ' \ n ';

Post attack

In general, it is difficult to encounter situations where an attacker can directly modify the PHP code, but there are ways in which an attacker can indirectly construct a hash table to attack. For example, PHP constructs the data in the received HTTP POST request as $_post, which is an array that is internally represented by the Zend Hashtable , so that the attacker constructs a POST request that contains a large number of collision keys. will be able to achieve the purpose of the attack. Specific practices are no longer demonstrated.

Defense methods

Currently, the protection of PHP is to control the number of post data. In the >=php5.3.9 version, a configuration item max_input_vars was added to identify the maximum number of parameters to receive for an HTTP request at the default of 1000.

Another protection method is to handle at the Web server level, such as restricting the size of the HTTP request body and the number of parameters, which is now the most temporary processing scheme. Specific practices are related to different Web servers and are no longer detailed.

The above protection method only limits the number of post data, but not completely solve the problem. For example, if a post field is a JSON data type and is Phpjson_decode, it can be exploited to construct a large JSON attack data.

Theoretically, as long as the data in the PHP code that constructs an array is dependent on the external input, this problem can be caused, so a thorough solution is done from the implementation of the Zend bottom Hashtable.

In general there are two ways to limit the longest length of each bucket list, and the other is to use other data structures such as red and black trees instead of the linked list to organize collision hashes (not to solve the hash collision, but to mitigate the impact of the attack,
The operation time of N data is reduced from O (n^2) to O (Nlogn), at the cost of an O (LOGN) operation that is generally close to O (1).

Post data attacks are still the most used, so it is recommended that PHP for the production environment be upgraded or patched. As for fixing this problem from the data structure level, there is no news.

Other languages are vulnerable to this type of hash collision attack:

<= 1.6.5 (currently fix in 1.6.5.1<= 5.3.8, <= 5.4.0RC3 (currently fix in 5.3.9,  5.4<= 1.8.7-p356 (currently fix in 1 .8.7-p357, 1.9<= 5.5.34, <= 6.0.34, <= 7.0.22 (currently fix in 5.5.35,  6.0.35,  7.0.23<= 3.1.1<= 1.3.5, <= 1.2.4, <= 1.1.2 (currently fix in 1.4.0, 1.3.6, 1.2.5, 1.1.3) V8 JavaScript Engine, all versions of ASP. NET no hit MS11-100 patch

Java-related

The Hash algorithms used in these languages are " non-random ", such as Java and Oracle Use the Hash function:

static int hash (inth)

{

H ^= (H >>>) ^ (h >>> 12);

Return h ^ (H >>> 7) ^ (H >>> 4);

}

The so-called " non-random " Hash algorithm, you can guess. For example:

1) in Java, the two strings of AA and BB hash code (or hash key) is the same, that is, collision. 2) It is possible to generate more strings with the same hash key through the two seeds. such as: "AaAa", "AaBB", "Bbaa", "BBBB". This is the first iteration.
is actually a permutation combination, write a program to be done. 3) You can then construct a 8-length string with these 4-length strings. When attacking, you just need to make this data into an HTTP POST form, and then write an infinite loop of the program and keep submitting the form. it can be implemented with a browser.
Of course, if done more subtle, the form into a cross-site script, and then find some of the site's cross-site vulnerability, put up, so can cross the power of SNS can find n multiple users from different IP to attack a server.

To defend such an attack, there are several strokes:

Hit the patch, the hash algorithm changed.

Limit the number of post parameters and limit The length of post requests.

It is also best to have a firewall to detect exceptions for requests.

Nodejs also has a similar problem:

Use connect.limit to limit request-body-size, directly on the Connect.limit module to solve.

Protect against HTTP header attacks

The HTTP header of the request also causes a hash conflict, before the hash algorithm is fixed at the V8 level . You can Fix this problem with a simple http_patch.js :

if (this. __headercount__ >=) {    return;}

There are also insiders said:

There is no perfect solution at the moment.

"Reprint" Network Attack Technology (III)--denial of Service & hash Related & PHP language & Java language