zeek May 2003

zeek@lists.zeek.org

4 participants
6 discussions

Re: Devastating DoS attack on Bro via Algorithmic Complexity Attacks

by Vern Paxson

Ruoming Pang has already added such a hash function in response to your paper, it'll be included in an upcoming release. Vern

17 years, 7 months

Devastating DoS attack on Bro via Algorithmic Complexity Attacks

by Scott A Crosby

Hello. We have analyzed this software to determine its vulnerability to a new class of DoS attacks that related to a recent paper. ''Denial of Service via Algorithmic Complexity Attacks.'' This paper discusses a new class of denial of service attacks that work by exploiting the difference between average case performance and worst-case performance. In an adversarial environment, the data structures used by an application may be forced to experience their worst case performance. For instance, hash tables are usually thought of as being constant time operations, but with large numbers of collisions will degrade to a linked list and may lead to a 100-10,000 times performance degradation. Because of the widespread use of hash tables, the potential for attack is extremely widespread. Fortunately, in many cases, other limits on the system limit the impact of these attacks. To be attackable, an application must have a deterministic or predictable hash function and accept untrusted input. In general, for the attack to be signifigant, the applications must be willing and able to accept hundreds to tens of thousands of 'attack inputs'. Because of that requirement, it is difficult to judge the impact of these attack without knowing the source code extremely well, and knowing all ways in which a program is used. In my paper, I attacked bro-pub-0.8a20's port scanning detector. The result of this attack was a packet drop rate of 30-70% with an attack traffic of only 16kbits, and a complete overload in approximately 7 minutes. You may wish to consider replacing that hash function with universal hashing. For installations of Bro, this is a CRITICAL DoS vulnerability. The paper discusses the attack and results at length. The solution for these attacks on hash tables is to make the hash function unpredictable via a technique known as universal hashing. Universal hashing is a keyed hash function where, based on the key, one of a large set hash functions is chosen. When benchmarking, we observe that for short or medium length inputs, it is comparable in performance to simple predictable hash functions such as the ones in Python or Perl. Our paper has graphs and charts of our benchmarked performance. I highly advise using a universal hashing library, either our own or someone elses. As is historically seen, it is very easy to make silly mistakes when attempting to implement your own 'secure' algorithm. The abstract, paper, and a library implementing universal hashing is available at http://www.cs.rice.edu/~scrosby/hash/. Scott

17 years, 7 months

Supply electric appliances

by chnze＠mail.wzptt.zj.cn

From:Mr Sander Yuan, G.Manager Chnze Electric Equipment Co.ltd. No.17-505 Lumingyuan Lucheng Industrial zone Wenzhou China 325007 Fax:86-577-88776860 Tel:86-577-88776861 or 88776862 E-mail:qunze@mail.wzptt.zj.cn chnze(a)mail.wzptt.zj.cn http://www.chnze.com; http://www.electricbase.com Dear Sir, We are pleased to introduce ourselves as leading manufacturers and exporters in Electrical Items and Accessories. Our Products include: 1. Circuit breaker (MCB,ELCB,MCCB) 2. Ac contactor, Magnetic starter 3. Relays (Mini relay, time relay, thermal relay) 4. Meters(panel meter, water meter, watthour meters) 5. Fuses link and fuse base 6. Stablizer, UPS(uninterruptible power supply) 7. Energy saving lamps 8. Nylon cable tie, Cable clips,terminal block 9. Micro switch & Limit switch, pushbutton switch 10. Permanent micro DC motor 11. Electrical accessories Please kindly visit our website http://www.chnze.com for detail information on our range of products. You are requested to send us your inquiries for the same. Thanking You & Best Regards Sander Yuan/G.manager Chnze electric equipment co.ltd. ******************************************************** ±ŸÓÊŒþÊ¹ÓÃ ·ÉÁúÈº·¢Æ÷ ·¢ËÍ,ÓÊŒþÄÚÈÝÓë ·ÉÁúÈíŒþ ÎÞ¹Ø ·ÉÁúÈíŒþ: http://www.163sm.com/kt/ This mail was sent using FlyingDragon Mail Sender, But The contents is none business of FlyingDragon Software. FlyingDragon Software: http://www.163sm.com/kt/ ********************************************************

17 years, 7 months

about NLANR

by Wang Shaofu

Hi I used the trace file from NLANR to test Bro. But Bro does nothing but report bad checksum. Sessions.cc: Weird("bad_IP_checksum", hdr, pkt); return; TCP.cc: Weird("bad_TCP_checksum"); return; What should I do , to make trace file available to Bro? Thanks very much! Have a nice day! Ciao Cloud _________________________________________________________________ 免费下载 MSN Explorer: http://explorer.msn.com/lccn/

17 years, 7 months

Re: how to use list of STL in Bro?

by Vern Paxson

> I add a variable to class SteppingStoneManager: When you do this, you need to issue "make clean ; make" in order to recompile all the .o's that depend on the modified class. The rules in the Makefile do not reflect all of the .h dependencies. (This is deliberate - it is too much of a pain when doing development to have them.) Vern

17 years, 8 months

how to use list of STL in Bro?

by Wang Shaofu

Hi all I add a variable to class SteppingStoneManager: + #include<g++-3/list.h> class SteppingStoneManager { public: SteppingStoneManager() { endp_cnt = 0; } PQueue(SteppingStoneEndpoint)& OrderedEndpoints() { return ordered_endps; } // Use postfix ++, since the first ID needs to be even. int NextID() { return endp_cnt++; } ++++ list <SteppingStoneEndpoint *> Flow_list; protected: PQueue(SteppingStoneEndpoint) ordered_endps; int endp_cnt; }; And the code is compiled succesfuly.But in runtime.Bro meet an error: [@]# ./bro -i eth0 ssh-stepping.bro listening on eth0 Segmentation fault <----------------------------------here!!! The gdb report that the error is in malloc.c!!! What should I do to use list of STL in Bro??? Appriciate! Any help is wellcome! Have a nice day! Ciao Cloud _________________________________________________________________ 享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com

17 years, 8 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2003