Earlier today at the CCC Congress in Berlin, Alexander Klink and Julian Wälde, two German security researchers, explained how to (ab)use the hashtable functionality present in many web server platforms to cause CPU exhaustion on the server.
The attack uses the HTTP POST protocol to submit variables to a server, which the server automatically keeps track of. By submitting hundreds of thousands of variables with specifically chosen names that cause name collisions in the hashtables used to store the variables, the CPU of the server is kept active. This attack mechanism is simple and elegant, causing the server to spend minutes to hours for a single HTTP request.
PHP has published a patch that enables a workaround for the condition. It limits the number of variables that can be submitted in a single POST to 1,000, a similar strategy to the one employed the newest Tomcat 7.0.23. Microsoft published its advisory KB2659883 today and advises to set the maximum size of the POST request to a limited value (20KB or 200KB depending on viewstate usage) in order to reduce the number of variables that can be passed into ASP.NET. Microsoft’s SRD blog has a lot of additional information, including Snort signatures for the attack.
We will closely monitor the development around the vulnerability and will keep you updated on new developments. At the moment, we recommend limiting the request size, which seems to be a countermeasure that is universally available.
The 60 minute talk itself is online on Youtube and very much worth watching for its background information on how the researchers found the vulnerability and the applicability to other platforms (Spoiler: Phython: yes, Ruby: somewhat, Perl: no). They also talk a bit about further research into other attack methods (JSON, for example) and other areas where hashtables are used (OS kernels, for example). The advisory by oCERT lists the vulnerable platforms and a detailed technical advisory can be found at the site of nruns, the company where Alexander works.