asfws 2012 - hash-flooding dos reloaded: attacks and defenses par jean-philippe aumasson / martin...
DESCRIPTION
At 28c3, Klink and Waelde demonstrated that a number of technologies (PHP, .NET, Ruby, Java, etc.) remained vulnerable to the decade-old hash-flooding DoS attacks. These attacks work by enforcing worst-case insert time in hash tables by sending many inputs hashing to the same value (a “multicollision”). Many vendors fixed the issue by replacing the weak deterministic hash function with stronger and randomized hash functions. In this presentation, we will show examples of such stronger randomized hash functions that fail to protect against hash-flooding, by presenting “universal multicollision” attacks based on differential cryptanalysis techniques. We will present demos showing how to exploit these attacks to DoS a Ruby on Rails application, as well as the latest Java OpenJDK; two technologies that chose to “fix” hash-flooding by using the MurmurHash hash functions. Finally, we will describe a reliable fix to hash-flooding with the SipHash family of pseudorandom functions: SipHash provides the adequate cryptographic strength to mitigate hash-flooding, yet is competitive in performance with the non-cryptographic hashes.TRANSCRIPT
![Page 1: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/1.jpg)
Hash-flooding DoS reloaded: attacks and defenses
Jean-Philippe Aumasson, Kudelski Group
Daniel J. Bernstein, University of Illinois at Chicago
Martin Boßlet, freelancer
![Page 2: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/2.jpg)
Hash-flooding DoS reloaded: attacks and defenses
Jean-Philippe Aumasson, Kudelski Group
Daniel J. Bernstein, University of Illinois at Chicago
Martin Boßlet, freelancer
![Page 3: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/3.jpg)
Jean-Philippe Cryptography expert at the Kudelski Group
Applied crypto researcher
https://131002.net @aumasson
Martin Independent SW engineer and security expert
Ruby core dev team member
http://www.martinbosslet.de @_emboss_
![Page 4: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/4.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 5: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/5.jpg)
Denial-of-Service (DoS) attacks
“Attempt to make a machine or network resource unavailable to its intended users.” Wikipedia
![Page 6: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/6.jpg)
Popular DoS techniques are distributed HTTP or TCP SYN flood… (DDoS)
![Page 7: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/7.jpg)
More subtle techniques exploit properties of TCP-congestion-avoidance algorithms…
![Page 8: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/8.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 9: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/9.jpg)
Hash tables used in many applications to maintain an association between objects
Example: Python dictionaries d={} # empty table
d[12345]=0xc # insertion
d[‘astring’]=‘foo’ # insertion
d[(‘a’,‘tuple’)]=0 # insertion
print d[‘a string’] # lookup
![Page 10: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/10.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
![Page 11: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/11.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
d[12345]=0xc, hash(12345)=1
0 1 2
12345: 0xc
![Page 12: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/12.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
d[‘astring’]=‘foo’ , hash(‘astring’)=0
0 1 2
12345: 0xc ‘astring’: ‘foo’
![Page 13: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/13.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n) operations on average
d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
0 1 2
12345: 0xc ‘astring’: ‘foo’ (‘a’,’tuple’): 0
![Page 14: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/14.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n2) operations in the worst case
d[12345]=0xc, hash(12345)=1
0 1 2
12345: 0xc
![Page 15: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/15.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n2) operations in the worst case
d[‘astring’]=‘foo’ , hash(‘astring’)=0
0 1 2
12345: 0xc
‘astring’: ‘foo’
![Page 16: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/16.jpg)
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes
O(n2) operations in the worst case
d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
0 1 2
12345: 0xc
‘astring’: ‘foo’
(‘a’, ‘tuple’): ‘foo’
![Page 17: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/17.jpg)
Hash flooding: Send to a server many inputs with a same hash (a multicollision) so as to
enforce worst-case insert time
![Page 18: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/18.jpg)
send 2MB of POST data consisting of 200.000 colliding 10B strings
≈ 40.000.000.000 string comparisons (at least 10s on a 2GHz machine…)
![Page 19: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/19.jpg)
Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003
-> attack formalized and applied to Perl, Squid, etc.
Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3
-> application to PHP, Java, Python, Ruby, etc.
![Page 20: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/20.jpg)
Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003
-> attack formalized and applied to Perl, Squid, etc.
Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3
-> application to PHP, Java, Python, Ruby, etc.
![Page 21: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/21.jpg)
![Page 22: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/22.jpg)
Patches released consisting of a stronger hash with randomization (to make colliding values impossible to find)
![Page 23: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/23.jpg)
MurmurHash2
“used in code by Google, Microsoft,
Yahoo, and many others” http://code.google.com/p/smhasher/wiki/MurmurHash
CRuby, JRuby
![Page 24: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/24.jpg)
MurmurHash3
“successor to MurmurHash2”
Oracle’s Java SE, Rubinius
![Page 25: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/25.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 26: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/26.jpg)
1. Theory
![Page 27: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/27.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
MurmurHash3 core
Processes the input per blocks of 4 bytes
![Page 28: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/28.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
![Page 29: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/29.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=0
inject difference D1
diff in k1:0x00040000
![Page 30: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/30.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=0
inject difference D1
diff in k1:0x00040000
diff in h1 0x00040000
![Page 31: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/31.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=0
inject difference D1
diff in k1:0x00040000
diff in h1 0x00040000
0x80000000
0x80000000
![Page 32: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/32.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=1
inject difference D2
![Page 33: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/33.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=1
inject difference D2
diff in k1:0x80000000
![Page 34: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/34.jpg)
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference
i=1
inject difference D2
diff in k1:0x80000000
diff in h1: 0x80000000 ^ 0x80000000 = 0
COLLISION!
![Page 35: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/35.jpg)
2 colliding 8-byte inputs
32-bit
32-bit
M1
h1=X
M2
h1=f(X)=H
32-bit
32-bit
M1^D1
h1=X^D3
M2^D2
h1=f(X^D3^D3)=H
![Page 36: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/36.jpg)
Chain collisions => multicollisions
8n bytes => 2n colliding inputs
M1 M2
collision
M3 M4
collision
M5 M6
collision
![Page 37: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/37.jpg)
h1=seed;
for (i=0;i<nblocks;i++) {
uint32_t k1 = getblock(blocks, i);
k1 *= 0xcc9e2d51 ;
k1 = ROTL32(k1 ,15);
k1 *= 0x1b873593;
// transform of k1 independent of the seed!
h1 ^= k1;
h1 = ROTL32 ( h1 ,13);
h1 = h1 *5+0 xe6546b64;}
A multicollision works for any seed
=> “Universal” multicollisions
![Page 38: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/38.jpg)
Even simpler for MurmurHash2
![Page 39: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/39.jpg)
Consequence:
Systems using MurmurHash2/3 remain vulnerable to hash-flooding
![Page 40: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/40.jpg)
Other hash attacked
![Page 41: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/41.jpg)
Even weaker than MurmurHash2… Also vulnerable to hash flooding
![Page 42: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/42.jpg)
CityHash64( BU9[85WWp/ HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 8{YDLn;d.2 HASH!, 16 ) = b82e7612e6933d2f
CityHash64( d+nkK&t?yr HASH!, 16 ) = b82e7612e6933d2f
CityHash64( {A.#v5i]V{ HASH!, 16 ) = b82e7612e6933d2f
CityHash64( FBC=/\hJeA!HASH!, 16 ) = b82e7612e6933d2f
CityHash64( $03$=K1.-H!HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 3o'L'Piw\\!HASH!, 16 ) = b82e7612e6933d2f
CityHash64( duDu%qaUS@"HASH!, 16 ) = b82e7612e6933d2f
CityHash64( IZVo|0S=BX"HASH!, 16 ) = b82e7612e6933d2f
CityHash64( X2V|P=<u,=#HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 9<%45yG]qG#HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 6?4O:'<Vho#HASH!, 16 ) = b82e7612e6933d2f
CityHash64( 2u 2}7g^>3$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( kqwnZH=cKG$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( Nl+:rtvw}K$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( s/pI!<5u*]$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( f|P~n*<xPc$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( Cj7TCG|G}}$HASH!, 16 ) = b82e7612e6933d2f
CityHash64( a4$>Jf3PF'%HASH!, 16 ) = b82e7612e6933d2f
![Page 43: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/43.jpg)
2. Practice
![Page 44: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/44.jpg)
Breaking Murmur:
We‘ve got the recipe –
Now all we need is the (hash) cake
![Page 45: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/45.jpg)
Where are hashes used?
![Page 46: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/46.jpg)
Internally vs. Externally
![Page 47: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/47.jpg)
Parser symbol tables Method lookup tables
Attributes / Instance variables IP Addresses
Transaction IDs Database Indexing
Session IDs HTTP Headers
JSON Representation URL-encoded POST form data
Deduplication (HashSet) A* search algorithm
Dictionaries …
![Page 48: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/48.jpg)
=> Where aren’t they used?
![Page 49: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/49.jpg)
Can’t we use something different?
![Page 50: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/50.jpg)
We could,
but amortized constant time is just too sexy
![Page 51: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/51.jpg)
Possible real-life attacks
![Page 52: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/52.jpg)
Attack internal use?
![Page 53: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/53.jpg)
Elegant, but low impact
![Page 54: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/54.jpg)
Need a high-profile target
![Page 55: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/55.jpg)
Web Application
![Page 56: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/56.jpg)
Example #1
Rails
![Page 57: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/57.jpg)
First:
Attacking MurmurHash in Ruby
![Page 58: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/58.jpg)
Straight-forward with a few quirks
![Page 59: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/59.jpg)
Apply the recipe
![Page 60: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/60.jpg)
Demo
![Page 61: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/61.jpg)
Should work with Rails
out of the box, no?
![Page 62: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/62.jpg)
Unfortunately, no
![Page 63: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/63.jpg)
Demo
![Page 64: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/64.jpg)
def POST … @env["rack.request.form_hash"] = parse_query(form_vars) … end
![Page 65: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/65.jpg)
def parse_query(qs) Utils.parse_nested_query(qs) end
![Page 66: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/66.jpg)
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
![Page 67: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/67.jpg)
def unescape(s, encoding = Encoding::UTF_8) URI.decode_www_form_component(s, encoding) end
![Page 68: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/68.jpg)
def self.decode_www_form_component(str, enc=Encoding::UTF_8) raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc) end
![Page 69: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/69.jpg)
/\A[^%]*(?:%\h\h[^%]*)*\z/
???
![Page 70: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/70.jpg)
Catches invalid % encodings
(e.g. %ZV, %%1 instead of %2F)
![Page 71: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/71.jpg)
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
![Page 72: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/72.jpg)
def normalize_params(params, name, v = nil) name =~ %r(\A[\[\]]*([^\[\]]+)\]*) k = $1 || '' … end
![Page 73: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/73.jpg)
%r(\A[\[\]]*([^\[\]]+)\]*)
???
![Page 74: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/74.jpg)
helps transform [[]] to []
![Page 75: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/75.jpg)
idea:
pre-generate matching values
![Page 76: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/76.jpg)
create random values
passing the regular expressions
![Page 77: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/77.jpg)
that should do it, right?
![Page 78: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/78.jpg)
Demo
![Page 79: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/79.jpg)
![Page 80: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/80.jpg)
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
![Page 81: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/81.jpg)
class KeySpaceConstrainedParams def []=(key, value) @size += key.size if key && [email protected]?(key) raise RangeError, 'exceeded available parameter key space‘ if @size > @limit @params[key] = value end end
![Page 82: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/82.jpg)
![Page 83: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/83.jpg)
What now? Rails is safe?
![Page 84: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/84.jpg)
Remember:
Hashes are used everywhere
![Page 85: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/85.jpg)
So if
application/x-www-form-urlencoded
doesn't work, how about
application/json
?
![Page 86: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/86.jpg)
Again, with the encoding...
![Page 87: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/87.jpg)
Fast-forward...
![Page 88: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/88.jpg)
Demo
![Page 89: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/89.jpg)
Conclusion
Patchwork is not helping
![Page 90: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/90.jpg)
too many places
![Page 91: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/91.jpg)
code bloat
![Page 92: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/92.jpg)
yet another loophole will be found
![Page 93: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/93.jpg)
Fix it
at the
root
![Page 94: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/94.jpg)
Example #2
Java
![Page 95: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/95.jpg)
String(byte[] bytes)
![Page 96: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/96.jpg)
public String(byte bytes[], int offset, int length, Charset charset) { … char[] v = StringCoding.decode(charset, bytes, offset, length); … }
![Page 97: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/97.jpg)
Tough nut to crack
![Page 98: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/98.jpg)
What now? Java is safe?
![Page 99: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/99.jpg)
String(char[] value)
![Page 100: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/100.jpg)
public String(char value[]) { int size = value.length; this.offset = 0; this.count = size; this.value = Arrays.copyOf(value, size); }
![Page 101: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/101.jpg)
No decoding!
![Page 102: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/102.jpg)
Substitute byte[] operations
with equivalent operations
on char[]
![Page 103: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/103.jpg)
Demo
![Page 104: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/104.jpg)
Disclosure Oracle (Java): Sep 11
CRuby, JRuby, Rubinius: Aug 30
![Page 105: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/105.jpg)
Hash-flooding DoS reloaded: attacks and defenses
![Page 106: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/106.jpg)
SipHash: a fast short-input PRF
New crypto algorithm to fix hash-flooding:
• Rigorous security requirements and analysis
• Speed competitive with that of weak hashes
Peer-reviewed research paper (A., Bernstein). published at DIAC 2012, INDOCRYPT 2012
![Page 107: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/107.jpg)
SipHash initialization
256-bit state v0 v1 v2 v3
128-bit key k0 k1
v0 = k0 ⊕ 736f6d6570736575
v1 = k1 ⊕ 646f72616e646f6d
v2 = k0 ⊕ 6c7967656e657261
v3 = k1 ⊕ 7465646279746573
![Page 108: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/108.jpg)
SipHash initialization
256-bit state v0 v1 v2 v3
128-bit key k0 k1
v0 = k0 ⊕ “somepseu”
v1 = k1 ⊕ “dorandom”
v2 = k0 ⊕ “lygenera”
v3 = k1 ⊕ “tedbytes”
![Page 109: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/109.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
v3 ⊕= m0
c iterations of SipRound
v0 ⊕= m0
![Page 110: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/110.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
v3 ⊕= m1
c iterations of SipRound
v0 ⊕= m1
![Page 111: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/111.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
v3 ⊕= m2
c iterations of SipRound
v0 ⊕= m2
![Page 112: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/112.jpg)
SipHash compression
Message parsed as 64-bit words m0, m1, …
Etc.
![Page 113: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/113.jpg)
SipRound
![Page 114: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/114.jpg)
SipHash finalization
v2 ⊕= 255
d iterations of SipRound
Return v0 ⊕ v1 ⊕ v2 ⊕ v3
![Page 115: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/115.jpg)
SipHash-2-4 hashing 15 bytes
![Page 116: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/116.jpg)
Family SipHash-c-d
Fast proposal: SipHash-2-4
Conservative proposal: SipHash-4-8
Weaker versions for cryptanalysis:
SipHash-1-0, SipHash-2-0, etc.
SipHash-1-1, SipHash-2-1, etc.
Etc.
![Page 117: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/117.jpg)
![Page 118: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/118.jpg)
Proof of simplicity
June 20: paper published online
June 28: 18 third-party implementations
C (Floodyberry, Boßlet, Neves); C# (Haynes) Cryptol (Lazar); Erlang, Javascript, PHP (Denis) Go (Chestnykh); Haskell (Hanquez) Java, Ruby (Boßlet); Lisp (Brown); Perl6 (Julin)
![Page 119: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/119.jpg)
Who is using SipHash?
http://www.opendns.com/ http://www.rust-lang.org/
Soon?
![Page 120: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/120.jpg)
Take home message
• DoS is doable with only small data/bandwidth
• Java- and Ruby-based web applications vulnerable to DoS (and maybe others…)
• SipHash offers both security and performance
Contact us if you need to check your application
![Page 121: ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet](https://reader033.vdocuments.site/reader033/viewer/2022042814/555a877ad8b42abb628b4f30/html5/thumbnails/121.jpg)
Hash-flooding DoS reloaded: attacks and defenses
THANK YOU!