Remote Algorithmic Complexity Attacks against Randomized Hash Tables

Bar-Yosef, Noa; Wool, Avishai

doi:10.1007/978-3-540-88653-2_12

Remote Algorithmic Complexity Attacks against Randomized Hash Tables

Noa Bar-Yosef³ &
Avishai Wool⁴

Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 23))

Abstract

Many network devices, such as routers, firewalls, and intrusion detection systems, usually maintain per-connection state in a hash table. However, hash tables are susceptible to algorithmic complexity attacks, in which the attacker degenerates the hash into a simple linked list. A common counter-measure is to randomize the hash table by adding a secret value, known only to the device, as a parameter to the hash function. Our goal is to demonstrate how the attacker can defeat this protection: we demonstrate how to discover this secret value, and to do so remotely, using network traffic. We show that if the secret value is small enough, such an attack is possible. Our attack does not rely on any weakness of a particular hash function and can work against any hash — although a poorly chosen hash function, that produces many collisions, can make the attack more efficient. We present a mathematical modeling of the attack, simulate the attack on different network topologies and finally describe a real-life attack against a weakened version of the Linux Netfilter.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Boneh, D., Brumley, D.: Remote timing attacks are practical. In: Proceedings of the 12th USENIX Security Symposium (2003)
Google Scholar
Bounds, D.: packit v1.0 (2003), http://www.obtuse.net/software/packit/
Crosby, S., Wallach, D.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium, pp. 29–44 (August 2003)
Google Scholar
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: Annual USENIX Security Symposium, Washington, D.C., USA, p. 178 (August 2001)
Google Scholar
Filter. Linux netfilter, http://www.netfilter.org/
Gal, A., Probst, C., Franz, M.: Complexity-based denial of service attacks on mobile-code systems. Technical Report 04-09, School of Information and Computer Science, University of California, Irvine (2004)
Google Scholar
Gal, A., Probst, C., Franz, M.: Average case vs. worst case margins of safety in system design. In: Proceedings of the 2005 New Security Paradigms Workshop (NSPW 2005), Lake Arrowhead, CA, USA (2005)
Google Scholar
Garfinkel, S.: Script for a king. HotWired Packet (1996)
Google Scholar
Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA (2006)
Google Scholar
Jenkins, B.: Jenkins’ hash (1997), http://burtleburtle.net/bob/hash/doobs.html
Kohno, T., Broido, A., Claffy, K.: Remote physical device fingerprinting. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA (2005)
Google Scholar
Kuzmanovic, A., Knightly, E.: Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice and elephants). In: Proc. Sigcomm. (2003)
Google Scholar
McCanne, S., Floyd, S.: ns network simulator, http://www.isi.edu/nsnam/ns/
McIlroy, M.D.: A killer adversary for quicksort. Softw., Pract. Exper. 29(4), 341–344 (1999)
Article Google Scholar
Needham, R.M.: Denial of service. In: Proceedings of the 1st ACM conference on Computer and communications security, FairFax, VA, USA, pp. 151–153 (1993)
Google Scholar
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23–24), 2435–2463 (1999)
Article Google Scholar
RFC4418. Umac: Message authentication code using universal hashing, http://www.rfc-archive.org/getrfc.php?rfc=4418
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address space randomization. In: ACM Conf. Computer and Communications Security (CCS), pp. 298–307 (2004)
Google Scholar
SYN flood. SYN-flooding attacks (1996), http://www.cert.org/advisories/CA-199621.html

Download references

Author information

Authors and Affiliations

School of Computer Science, Tel Aviv University, Ramat Aviv, 69978, Israel
Noa Bar-Yosef
School of Electrical Engineering, Tel Aviv University, Ramat Aviv, 69978, Israel
Avishai Wool

Authors

Noa Bar-Yosef
View author publications
You can also search for this author in PubMed Google Scholar
Avishai Wool
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Polytechnic Institute of Setúbal – INSTICC,, Av. D. Manuel I, 27A - 2. Esq., 2910-595, Setúbal, Portugal
Joaquim Filipe
Department of Computer Science, Monmouth University, West Long Branch, NJ 07764, U.S.A.
Mohammad S. Obaidat

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Bar-Yosef, N., Wool, A. (2008). Remote Algorithmic Complexity Attacks against Randomized Hash Tables. In: Filipe, J., Obaidat, M.S. (eds) E-business and Telecommunications. ICETE 2007. Communications in Computer and Information Science, vol 23. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88653-2_12

Download citation

DOI: https://doi.org/10.1007/978-3-540-88653-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88652-5
Online ISBN: 978-3-540-88653-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics