Websites & apps at DoS risk

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Description: DDoS Attacks

Hackers aemed with a single PC and a minimal broadband connection can ripple web servers, putting a huge number of websites and apps at risk. Gregg Keizer explains

Security researchers recently revealed a vulnerability in the handling of hash tablets by programming languages that puts sites and apps at risk of a denial of service (DoS) attack. Microsoft, whose ASP.Net programming language is one of several affected, quickly shipped an out of band update,designated ‘MS11-100’.

The problem exists in many of the web’s most popular app and site programming languages, including ASP.Net, PHP, Ruby, Java and V8 JavaScript, according to researchers Alex Klink and Julian Walde.

Klink and Walde traced the flaw to the handing of hash tables, a programming structure used to store and retrieve data.

Unless a language randomizes hash functions or takes into account ‘hash collisions’ (when multiple data generates the same hash), attackers can calculate the data that will trigger large numbers of collisions, then send that data as a simple http request. Because each collision chews up processing cycles on the targeted server, a hacker using relatively small attack packets could consume all the processing power of even well-equipped servers.

Microsoft confirmed that a single 100k http request sent to a server running ASP.Net could consume 100 percent of a CPU core for 90-110 seconds.

“An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a DoS condition for even multi-core servers or clusters of servers,” company engineers Suha Can and Jonathan Ness said in a blog.

Klink and wale estimated that packets as small as 6k would keep a single core processor busy on a Java server.

The implications are significant for web apps and sites that run on those servers.

Small-scale attacks with huge impact

“An attacker with little resources can effectively take out a site fairly easily,” said Andrew Storms, director of security operations at nCircle Security. “No botnet is required to create havoc here.”

Microsoft’s rush to patch the flaw in ASP.Net hinted at the seriousness of the bug. Can and Ness said the firm “anticipates the imminent public release of exploit code”, and urged customers to apply the patch.

Other programming language developers have already offered fixes for their software. Ruby, for instance, has issued an update that includes a new randomized hash function, while PHP has shipped a release candidate for version 5.4.0.

Some, however, will take their time implementing a fix, said Klink and Walde.

Oracle told them there wasn’t anything to patch in Java itself, but said it would update the GlassFish Java server software with a future fix.

Klink and Walde credited another pair of researchers Scott Crosby and Dan Wallach for outlining the attack vector in 2003, and applauded the Perl programming language for patching its flaw then. Meanwhile, they chastised other vendors for not tackling the problem years ago.

“I’d have to agree that we all expected vendors to have fixed this by now,” said Storms. “On the other hand, there’s a lot of research out there and it’s not always possible to be on top of everything. It’s not as though this kind of attack has been ongoing in the wild since 2003 and everyone refused to fix it.”

Klink and Walde reported their research to the Open Source Computer Security Incident Response Team in September. The organization contacted the various vendors responsible for the affected languages.

The patch from Microsoft was its only out of band update in 2011 and Storms, who had only recently praised the company for not having to go out of band, noted that he had at the time issued a caveat. “I did say at the December Patch Tuesday that it had a few weeks to go before the year was over,” he said in an instant message.

Microsoft delivered MS11-100 via its usual Windows Update and Windows Server Update Service (WSUS) channels.

Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
- Messages forwarded by Outlook rule go nowhere
- Create and Deploy Windows 7 Image
- How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
- Creating and using an unencrypted cookie in ASP.NET
- Directories
- Poor Performance on Sharepoint 2010 Server
- SBS 2008 ~ The e-mail alias already exists...
- Public to Private IP - DNS Changes
- Send Email from Winform application
- How to create a .mdb file from ms sql server database.......
programming4us programming4us