Websites, apps vulnerable to low-bandwidth, bot-free takedown, say researchers
Microsoft rushes out emergency update for ASP .Net, first 'out-of-band' in 2011
Computerworld - Hackers armed with a single machine and a minimal broadband connection can cripple Web servers, researchers disclosed Wednesday, putting uncounted websites and Web apps at risk from denial-of-service attacks.
In a security advisory issued the same day, Microsoft, whose ASP .Net programming language is one of several affected by the flaw, promised to patch the vulnerability and offered customers ways to protect their servers until it releases an update.
In a follow-up message, Microsoft announced it was shipping an "out-of-band," or emergency update today. The update was released at 1 p.m. ET. Designated MS11-100, it also fixed three other bugs in ASP .Net, one tagged "critical." None of those three had been disclosed publicly prior to today.
Klink and Walde, who presented their findings at the Chaos Communication Congress (CCC) conference in Berlin on Wednesday, traced the flaw to those languages' -- and others' -- handling of hash tables, a programming structure used to quickly store and retrieve data.
Unless a language randomizes hash functions or takes into account "hash collisions" -- when multiple data generates the same hash -- attackers can calculate the data that will trigger large numbers of collisions, then send that data as a simple HTTP request. Because each collision chews up processing cycles on the targeted server, a hacker using relatively small attack packets could consume all the processing power of even well-equipped servers, effectively knocking them offline.
Microsoft confirmed that a single 100K specially-crafted HTTP request sent to a server running ASP .Net would consume 100% of one CPU core for 90-110 seconds.
"An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers," company engineers Suha Can and Jonathan Ness said in a post to the Security Research & Defense blog yesterday.
Klink and Walde estimated that packets as small as 6K would keep a single-core processor busy on a Java server.
The implications are significant for Web apps and sites that run on those servers.
"An attacker with little resources can effectively take out a site fairly easily," said Andrew Storms, director of security operations at nCircle Security, today. "No botnet required to create havoc here."
Microsoft's rush to patch the flaw in ASP .Net hinted at the seriousness of the bug.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts