Sunday, November 28, 2010

Universal HTTP DoS - Are You Dead Yet?

A generic flaw in the way HTTP works?
Now that's the kinda stuff I always like to hear about.
Oh, you mean to tell me that once again Web Application Firewalls cannot stop this attack?
Allow me to put on my "surprised" face again. Of course WAF cannot handle this. WAF do not really detect traffic anomalies. WAF simply do what they were programmed to do - detect pre-defined white/black list patterns.
Some boffins talked about this attack at OWASP:

So trivial we all wonder why nobody's thought of this prior to late 2010...
We simply find a nice web form to flood with never-ending POST values.
Add in connection concurrence in the tens-to-hundreds scale per client, et voilà:
Application layer Denial-of-Service attack.
At the time of this writing, I could not find any efficient PoC code. So I wrote my own.
Introducing: "R-U-Dead-Yet" or R.U.D.Y.
Distributed or not, this baby knocks down websites and web-enabled devices.
Apache? No problem for R.U.D.Y. IIS escaped the SlowLoris attack? it won't escape this time. Think you're ok cuz you wrote in ASP.NET / Java / PHP / whatever? Guess again. This attack is universal!
All you need could be an antique machine running Linux (tested and verified with Ubuntu).
With built-in detection of web forms and form fields suitable for attack, and unattended execution using pre-defined configuration files, this tool is simple enough for anyone to use.
I know not of any firewall / IPS, including WAF, that will currently cope with this attack.
And of course, as cyber warfare is our current hype, SCADA systems using web interfaces can also be attacked, according to the researchers behind the idea. Considering automatic discovery of Web-facing SCADA equipment using the SHODAN search engine, this could be major...
So without much further ado, let the mayhem, anarchy and general fun begin!

Download R-U-Dead-Yet at:


No comments:


Related Posts with Thumbnails