Security

Websites and Apps Vulnerable to Low-Bandwidth, Bot-Free Takedown

Hackers armed with a single machine and a minimal broadband connection can cripple Web servers, researchers disclosed Wednesday, putting uncounted websites and Web apps at risk from denial-of-service attacks.

In a security advisory issued the same day, Microsoft, whose ASP .Net programming language is one of several affected by the flaw, promised to patch the vulnerability and offered customers ways to protect their servers until it releases an update.

In a follow-up message, Microsoft announced it was shipping an "out-of-band," or emergency update today. The update was released at 1 p.m. ET. Designated MS11-100 , it also fixed three other bugs in ASP .Net, one tagged "critical." None of those three had been disclosed publicly prior to today.

The problem that caused a stir in the security community exists in many of the Web's most popular application and site programming languages, including ASP .Net, the open-source PHP and Ruby, Oracle's Java and Google's V8 JavaScript, according to two German researchers, Alexander Klink and Julian Walde.

Klink and Walde, who presented their findings at the Chaos Communication Congress (CCC) conference in Berlin on Wednesday, traced the flaw to those languages' -- and others' -- handling of hash tables, a programming structure used to quickly store and retrieve data.

Unless a language randomizes hash functions or takes into account "hash collisions" -- when multiple data generates the same hash -- attackers can calculate the data that will trigger large numbers of collisions, then send that data as a simple HTTP request. Because each collision chews up processing cycles on the targeted server, a hacker using relatively small attack packets could consume all the processing power of even well-equipped servers, effectively knocking them offline.

Microsoft confirmed that a single 100K specially-crafted HTTP request sent to a server running ASP .Net would consume 100% of one CPU core for 90-110 seconds.

"An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers," company engineers Suha Can and Jonathan Ness said in a post to the Security Research & Defense blog yesterday.

Klink and Walde estimated that packets as small as 6K would keep a single-core processor busy on a Java server.

The implications are significant for Web apps and sites that run on those servers.

"An attacker with little resources can effectively take out a site fairly easily," said Andrew Storms, director of security operations at nCircle Security, today. "No botnet required to create havoc here."

Microsoft's rush to patch the flaw in ASP .Net hinted at the seriousness of the bug.

"Microsoft will be the one to watch and see if they go out of band and if so, when," Storms said Wednesday night, before Microsoft announced today's patch. "If they do, I sense it will be soon."

Can and Ness of Microsoft said that the company "anticipate[s] the imminent public release of exploit code," and urged ASP .Net customers to apply the patch or the workarounds described in the advisory.

Other programming language developers have already offered fixes to their software.

Ruby, for instance, has issued an update that includes a new randomized hash function, while PHP has shipped a release candidate for version 5.4.0 .

Some, however, will take their time implementing a fix, said Klink and Walde. Oracle told them there wasn't anything to patch in Java itself, but said it would update the GlassFish Java server software with a future fix.

Klink and Walde credited another pair of researchers -- Scott Crosby and Dan Wallach -- for outlining the attack vector in 2003, and applauded the Perl programming language for patching its flaw then.

During their presentation at CCC, Klink and Walde chastised other vendors for not tackling the problem years ago.

"I'd have to agree that we all expected vendors to have fixed this by now," said Storms. "On the other hand, there is a lot of research out there and its not always possible to be on top of everything. It's not as though this kind of attack has been ongoing in the wild since 2003 and everyone refused to fix it."

Klink and Walde reported their research to oCERT -- the Open Source Computer Security Incident Response Team -- last September. The organization then contacted the various vendors responsible for the affected languages.

oCERT issued its own advisory Wednesday.

Today's patch from Microsoft is its first out-of-band update during 2011. Last year, the company pushed out four emergency updates.

Storms, who had praised Microsoft earlier this month for not having to go out-of-band, noted today that he had issued a caveat even then. "I did say at the December Patch Tuesday that they had a few weeks to go before the year was over," Storms said in an instant message.

Microsoft delivered MS11-100 via its usual Windows Update and Windows Server Update Service (WSUS) channels.

More information about the hash collision flaw can be found in the advisory Klink published on his company's website, and in the notes from their presentation ( download PDF ). Although videos of the Klink and Walde CCC talk were available on YouTube for a time Wednesday, they have since been pulled from the site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Subscribe to the Security Watch Newsletter

Comments