REMOTE ALGORITHMIC COMPLEXITY ATTACKS AGAINST RANDOMIZED HASH TABLES
Noa Bar-Yosef, Avishai Wool
2007
Abstract
Many network devices, such as routers, firewalls, and intrusion detection systems, usually maintain perconnection state in a hash table. However, hash tables are susceptible to algorithmic complexity attacks, in which the attacker degenerates the hash into a simple linked list. A common counter-measure is to randomize the hash table by adding a secret value, known only to the device, as a parameter to the hash function. Our goal is to demonstrate how the attacker can defeat this protection: we demonstrate how to discover this secret value, and to do so remotely, using network traffic. We show that if the secret value is small enough, such an attack is possible. Our attack does not rely on any weakness of a particular hash function and can work against any hash — although a poorly chosen hash function, that produces many collisions, can make the attack more efficient. We present a mathematical modeling of the attack, simulate the attack on different network topologies and finally describe a real-life attack against a weakened version of the Linux Netfilter.
References
- Boneh, D. and Brumley, D. (2003). Remote timing attacks are practical. In Proceedings of the 12th USENIX Security Symposium.
- Bounds, D. (2003). packit v1.0. http://www.obtuse. net/software/packit/.
- Crosby, S. and Wallach, D. (August 2003). Denial of service via algorithmic complexity attacks. In Proceedings of the 12th USENIX Security Symposium, pages 29-44.
- Dean, D. and Stubblefield, A. (Aug. 2001). Using client puzzles to protect TLS. In Annual USENIX Security Symposium, page 178, Washington, D.C., USA.
- Gal, A., Probst, C., and Franz, M. (2004). Complexitybased denial of service attacks on mobile-code systems. Technical Report 04-09, School of Information and Computer Science, University of California, Irvine.
- Gal, A., Probst, C., and Franz, M. (2005). Average case vs. worst case margins of safety in system design. In Proceedings of the 2005 New Security Paradigms Workshop (NSPW 2005), Lake Arrowhead, CA, USA.
- Garfinkel, S. (1996). Script for a king. HotWired Packet.
- Gutterman, Z., Pinkas, B., and Reinman, T. (2006). Analysis of the linux random number generator. In IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA.
- Jenkins, B. (1997). Jenkins' hash. http:// burtleburtle.net/bob/hash/doobs.html.
- Kohno, T., Broido, A., and Claffy, K. (2005). Remote physical device fingerprinting. In IEEE Symposium on Security and Privacy, Oakland, CA, USA.
- Kuzmanovic, A. and Knightly, E. (2003). Low-rate TCPtargeted denial of service attacks (the shrew vs. the mice and elephants). In Proc. Sigcomm.
- McIlroy, M. D. (1999). A killer adversary for quicksort. Softw., Pract. Exper., 29(4):341-344.
- Needham, R. M. (1993). Denial of service. In Proceedings of the 1st ACM conference on Computer and communications security, pages 151-153, FairFax, VA, USA.
- Paxson, V. (1999). Bro: a system for detecting network intruders in real-time. Computer Networks (Amsterdam, Netherlands: 1999), 31(23-24):2435-2463.
- RFC4418. Umac: Message authentication code using universal hashing. http://www.rfc-archive.org/ getrfc.php?rfc=4418.
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh., D. (2004). On the effectiveness of address space randomization. In ACM Conf. Computer and Communications Security (CCS), pages 298-307.
- SYN flood (1996). SYN-flooding attacks. http://www. cert.org/advisories/CA-1996-21.html.
Paper Citation
in Harvard Style
Bar-Yosef N. and Wool A. (2007). REMOTE ALGORITHMIC COMPLEXITY ATTACKS AGAINST RANDOMIZED HASH TABLES . In Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007) ISBN 978-989-8111-12-8, pages 117-124. DOI: 10.5220/0002118101170124
in Bibtex Style
@conference{secrypt07,
author={Noa Bar-Yosef and Avishai Wool},
title={REMOTE ALGORITHMIC COMPLEXITY ATTACKS AGAINST RANDOMIZED HASH TABLES},
booktitle={Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)},
year={2007},
pages={117-124},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002118101170124},
isbn={978-989-8111-12-8},
}
in EndNote Style
TY - CONF
JO - Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)
TI - REMOTE ALGORITHMIC COMPLEXITY ATTACKS AGAINST RANDOMIZED HASH TABLES
SN - 978-989-8111-12-8
AU - Bar-Yosef N.
AU - Wool A.
PY - 2007
SP - 117
EP - 124
DO - 10.5220/0002118101170124