28C3 Scariest Talk of the Day
We attended Effective Denial of Service attacks against web application platforms by Alexander “alech” Klink and Julian | zeri where they described a really, really easy to implement denial of service attack that exploits an artifact of hash checking which is computationally intensive when the hash table is filled with hash collisions. It is fairly easy to find 2-4 character hash collisions for a given hash functions (and there are only a few variations in use) and as hash operations are performed by default on all POST and POST-like functions, which take (by default) from 2-8MB of data, one can easily tie up a computers CPU effectively indefinitely.
The researchers tested the attack on most web languages in use (and all in common use – only Perl is deployed safe (since 2003) and Ruby 1.9 has a patch available. Every other OS is vulnerable. Today. The attack is only a POST option with a table of delimited hash collision values. You could copypasta a working exploit, it is that easy. The vast (vaaast) majority of sites on the web run PHP, and 1 Gbps of attack vector bandwidth could take down 10,000 cores. With ASP.NET, that 1 Gbps can hold down 30,000 cores cRuby 1.8 (not patched, about half of Ruby installs): that 1 Gbps can keep a million cores tied up.
Yow.
Category: Events • Technology • Travel
You can’t read this at the Westin
Oddly, this server is blocked by the network at the Westin Grand, Berlin. Everything else seems to work, even www.dis.org (which is blocked by sites that subscribe to the Barracuda filter list, cause any site with information on radios is frequented by hackerz). It does not seem to be a national level block as I get plenty of visitors from Germany.
Easy enough to get around by VPN, but odd. Very odd indeed.
Category: Hotels • Self-publishing • Technology • Travel
Rose Picture
Not sure why the roses are blooming xmas eve, but they’re pretty in the sunset light.
Category: photo
huh… MITM or switching mafia allegiances
Certs are so fail for authentication.
Category: Media
-
Recent Posts
- Get a desktop alert when Thunderbird gets constipated 2023 May 29
- The end of a comic era 2023 May 14
- WordPress forward and back navigation I find pleasing 2023 May 07
- عيد مبارك 2023 April 22
- Technology: maximizing individual radius of lethality. 2023 February 05
- Sidebar featured images only on single post pages 2023 January 24
- LastPass: The Cloud is Public and Ephemeral 2023 January 05
- Some gnuplot and datamash adventures 2022 December 29
- Smol bash script for finding oversize media files 2022 September 02
- Deep Learning Image Compression: nearly 10,000:1 compression ratio! 2022 June 28
- Categories
- Links
- Search
- Archives
- Post History