Abstract
Many network devices, such as routers, firewalls, and intrusion detection systems, usually maintain per-connection state in a hash table. However, hash tables are susceptible to algorithmic complexity attacks, in which the attacker degenerates the hash into a simple linked list. A common counter-measure is to randomize the hash table by adding a secret value, known only to the device, as a parameter to the hash function. Our goal is to demonstrate how the attacker can defeat this protection: we demonstrate how to discover this secret value, and to do so remotely, using network traffic. We show that if the secret value is small enough, such an attack is possible. Our attack does not rely on any weakness of a particular hash function and can work against any hash — although a poorly chosen hash function, that produces many collisions, can make the attack more efficient. We present a mathematical modeling of the attack, simulate the attack on different network topologies and finally describe a real-life attack against a weakened version of the Linux Netfilter.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Boneh, D., Brumley, D.: Remote timing attacks are practical. In: Proceedings of the 12th USENIX Security Symposium (2003)
Bounds, D.: packit v1.0 (2003), http://www.obtuse.net/software/packit/
Crosby, S., Wallach, D.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium, pp. 29–44 (August 2003)
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: Annual USENIX Security Symposium, Washington, D.C., USA, p. 178 (August 2001)
Filter. Linux netfilter, http://www.netfilter.org/
Gal, A., Probst, C., Franz, M.: Complexity-based denial of service attacks on mobile-code systems. Technical Report 04-09, School of Information and Computer Science, University of California, Irvine (2004)
Gal, A., Probst, C., Franz, M.: Average case vs. worst case margins of safety in system design. In: Proceedings of the 2005 New Security Paradigms Workshop (NSPW 2005), Lake Arrowhead, CA, USA (2005)
Garfinkel, S.: Script for a king. HotWired Packet (1996)
Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA (2006)
Jenkins, B.: Jenkins’ hash (1997), http://burtleburtle.net/bob/hash/doobs.html
Kohno, T., Broido, A., Claffy, K.: Remote physical device fingerprinting. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA (2005)
Kuzmanovic, A., Knightly, E.: Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice and elephants). In: Proc. Sigcomm. (2003)
McCanne, S., Floyd, S.: ns network simulator, http://www.isi.edu/nsnam/ns/
McIlroy, M.D.: A killer adversary for quicksort. Softw., Pract. Exper. 29(4), 341–344 (1999)
Needham, R.M.: Denial of service. In: Proceedings of the 1st ACM conference on Computer and communications security, FairFax, VA, USA, pp. 151–153 (1993)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23–24), 2435–2463 (1999)
RFC4418. Umac: Message authentication code using universal hashing, http://www.rfc-archive.org/getrfc.php?rfc=4418
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address space randomization. In: ACM Conf. Computer and Communications Security (CCS), pp. 298–307 (2004)
SYN flood. SYN-flooding attacks (1996), http://www.cert.org/advisories/CA-199621.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bar-Yosef, N., Wool, A. (2008). Remote Algorithmic Complexity Attacks against Randomized Hash Tables. In: Filipe, J., Obaidat, M.S. (eds) E-business and Telecommunications. ICETE 2007. Communications in Computer and Information Science, vol 23. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88653-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-88653-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88652-5
Online ISBN: 978-3-540-88653-2
eBook Packages: Computer ScienceComputer Science (R0)