Hello. We have analyzed this software to determine its vulnerability
to a new class of DoS attacks that related to a recent paper. ''Denial
of Service via Algorithmic Complexity Attacks.''
This paper discusses a new class of denial of service attacks that
work by exploiting the difference between average case performance and
worst-case performance. In an adversarial environment, the data
structures used by an application may be forced to experience their
worst case performance. For instance, hash tables are usually thought
of as being constant time operations, but with large numbers of
collisions will degrade to a linked list and may lead to a 100-10,000
times performance degradation. Because of the widespread use of hash
tables, the potential for attack is extremely widespread. Fortunately,
in many cases, other limits on the system limit the impact of these
attacks.
To be attackable, an application must have a deterministic or
predictable hash function and accept untrusted input. In general, for
the attack to be signifigant, the applications must be willing and
able to accept hundreds to tens of thousands of 'attack
inputs'. Because of that requirement, it is difficult to judge the
impact of these attack without knowing the source code extremely well,
and knowing all ways in which a program is used.
In my paper, I attacked bro-pub-0.8a20's port scanning detector. The
result of this attack was a packet drop rate of 30-70% with an attack
traffic of only 16kbits, and a complete overload in approximately 7
minutes. You may wish to consider replacing that hash function with
universal hashing.
For installations of Bro, this is a CRITICAL DoS vulnerability.
The paper discusses the attack and results at length.
The solution for these attacks on hash tables is to make the hash
function unpredictable via a technique known as universal
hashing. Universal hashing is a keyed hash function where, based on
the key, one of a large set hash functions is chosen. When
benchmarking, we observe that for short or medium length inputs, it is
comparable in performance to simple predictable hash functions such as
the ones in Python or Perl. Our paper has graphs and charts of our
benchmarked performance.
I highly advise using a universal hashing library, either our own or
someone elses. As is historically seen, it is very easy to make silly
mistakes when attempting to implement your own 'secure' algorithm.
The abstract, paper, and a library implementing universal hashing is
available at http://www.cs.rice.edu/~scrosby/hash/.
Scott
From:Mr Sander Yuan, G.Manager
Chnze Electric Equipment Co.ltd.
No.17-505 Lumingyuan Lucheng Industrial zone Wenzhou China 325007
Fax:86-577-88776860 Tel:86-577-88776861 or 88776862
E-mail:qunze@mail.wzptt.zj.cn chnze(a)mail.wzptt.zj.cn
http://www.chnze.com; http://www.electricbase.com
Dear Sir,
We are pleased to introduce ourselves as leading manufacturers and
exporters in Electrical Items and Accessories. Our Products include:
1. Circuit breaker (MCB,ELCB,MCCB)
2. Ac contactor, Magnetic starter
3. Relays (Mini relay, time relay, thermal relay)
4. Meters(panel meter, water meter, watthour meters)
5. Fuses link and fuse base
6. Stablizer, UPS(uninterruptible power supply)
7. Energy saving lamps
8. Nylon cable tie, Cable clips,terminal block
9. Micro switch & Limit switch, pushbutton switch
10. Permanent micro DC motor
11. Electrical accessories
Please kindly visit our website http://www.chnze.com for detail information
on our range of products.
You are requested to send us your inquiries for the same.
Thanking You & Best Regards
Sander Yuan/G.manager
Chnze electric equipment co.ltd.
********************************************************
±ŸÓÊŒþʹÓà ·ÉÁúȺ·¢Æ÷ ·¢ËÍ,ÓÊŒþÄÚÈÝÓë ·ÉÁúÈíŒþ ÎÞ¹Ø
·ÉÁúÈíŒþ: http://www.163sm.com/kt/
This mail was sent using FlyingDragon Mail Sender, But The contents
is none business of FlyingDragon Software.
FlyingDragon Software: http://www.163sm.com/kt/
********************************************************
Hi
I used the trace file from NLANR to test Bro. But Bro does nothing but
report
bad checksum.
Sessions.cc: Weird("bad_IP_checksum", hdr, pkt);
return;
TCP.cc: Weird("bad_TCP_checksum");
return;
What should I do , to make trace file available to Bro?
Thanks very much!
Have a nice day!
Ciao
Cloud
_________________________________________________________________
免费下载 MSN Explorer: http://explorer.msn.com/lccn/
> I add a variable to class SteppingStoneManager:
When you do this, you need to issue "make clean ; make" in order
to recompile all the .o's that depend on the modified class. The
rules in the Makefile do not reflect all of the .h dependencies.
(This is deliberate - it is too much of a pain when doing development
to have them.)
Vern
Hi all
I add a variable to class SteppingStoneManager:
+ #include<g++-3/list.h>
class SteppingStoneManager {
public:
SteppingStoneManager() { endp_cnt = 0; }
PQueue(SteppingStoneEndpoint)& OrderedEndpoints()
{ return ordered_endps; }
// Use postfix ++, since the first ID needs to be even.
int NextID() { return endp_cnt++; }
++++ list <SteppingStoneEndpoint *> Flow_list;
protected:
PQueue(SteppingStoneEndpoint) ordered_endps;
int endp_cnt;
};
And the code is compiled succesfuly.But in runtime.Bro meet an error:
[@]# ./bro -i eth0 ssh-stepping.bro
listening on eth0
Segmentation fault <----------------------------------here!!!
The gdb report that the error is in malloc.c!!!
What should I do to use list of STL in Bro???
Appriciate!
Any help is wellcome!
Have a nice day!
Ciao
Cloud
_________________________________________________________________
享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com