Hash-flooding DoS reloaded: Hash flooding begins? attacks and - PowerPoint PPT Presentation

This is acceptable for port scans Review of classic hash tables (most (remember, we can’t detect Choose ❵ ✷ ❢ 1 ❀ 2 ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ hash all scans anyway), but might Hash table: ❵ separate linked replacing the not be acceptable for detecting Store string s in list # ✐ linear other attacks. ✿ ✿ ✿ It is probably where ✐ = ❍ ( s ) mod ❵ . many worth mentioning that similar might make issues also apply to things like With ♥ entries in table, pick operating system kernels. For expect ✙ ♥❂❵ entries ✿ ✿ ✿ I’ve example, hash tables are widely in each linked list. limiting used there for looking up active Choose ❵ ✙ ♥ : collisions, and connections, listening ports, etc. expect very short linked lists, with There’re usually other limits so very fast list operations. the which make these not really (What if ♥ becomes too big? dangerous though, but Rehash: replace ❵ by 2 ❵ .) more research might be needed. ”

This is acceptable for port scans Review of classic hash tables (remember, we can’t detect Choose ❵ ✷ ❢ 1 ❀ 2 ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ . all scans anyway), but might Hash table: ❵ separate linked lists. not be acceptable for detecting Store string s in list # ✐ other attacks. ✿ ✿ ✿ It is probably where ✐ = ❍ ( s ) mod ❵ . worth mentioning that similar issues also apply to things like With ♥ entries in table, operating system kernels. For expect ✙ ♥❂❵ entries example, hash tables are widely in each linked list. used there for looking up active Choose ❵ ✙ ♥ : connections, listening ports, etc. expect very short linked lists, There’re usually other limits so very fast list operations. which make these not really (What if ♥ becomes too big? dangerous though, but Rehash: replace ❵ by 2 ❵ .) more research might be needed. ”

is acceptable for port scans Review of classic hash tables e.g. strings ✿ ✿ ✿ (remember, we can’t detect ❍ ( s ) = first s ❵ Choose ❵ ✷ ❢ 1 ❀ 2 ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ . scans anyway), but might . . . Hash table: ❵ separate linked lists. acceptable for detecting e ✦ eight Store string s in list # ✐ attacks. ✿ ✿ ✿ It is probably f ✦ four ✦ where ✐ = ❍ ( s ) mod ❵ . mentioning that similar . . . also apply to things like With ♥ entries in table, n ✦ nine erating system kernels. For expect ✙ ♥❂❵ entries o ✦ one example, hash tables are widely in each linked list. p there for looking up active Choose ❵ ✙ ♥ : q connections, listening ports, etc. expect very short linked lists, r There’re usually other limits so very fast list operations. s ✦ six ✦ make these not really (What if ♥ becomes too big? t ✦ two ✦ ✦ dangerous though, but . Rehash: replace ❵ by 2 ❵ .) . research might be needed. ” .

acceptable for port scans Review of classic hash tables e.g. strings one , two ✿ ✿ ✿ can’t detect ❍ ( s ) = first byte of s ❵ Choose ❵ ✷ ❢ 1 ❀ 2 ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ . y), but might . . . Hash table: ❵ separate linked lists. table for detecting e ✦ eight Store string s in list # ✐ ✿ ✿ ✿ It is probably f ✦ four ✦ five where ✐ = ❍ ( s ) mod ❵ . mentioning that similar . . . to things like With ♥ entries in table, n ✦ nine kernels. For expect ✙ ♥❂❵ entries o ✦ one tables are widely in each linked list. p oking up active Choose ❵ ✙ ♥ : q listening ports, etc. expect very short linked lists, r other limits so very fast list operations. s ✦ six ✦ seven these not really (What if ♥ becomes too big? t ✦ two ✦ three ✦ though, but . Rehash: replace ❵ by 2 ❵ .) . might be needed. ” .

scans Review of classic hash tables e.g. strings one , two , ✿ ✿ ✿ , ten detect ❍ ( s ) = first byte of s ; ❵ = 256: Choose ❵ ✷ ❢ 1 ❀ 2 ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ . might . . . Hash table: ❵ separate linked lists. detecting e ✦ eight Store string s in list # ✐ ✿ ✿ ✿ robably f ✦ four ✦ five where ✐ = ❍ ( s ) mod ❵ . similar . . . like With ♥ entries in table, n ✦ nine For expect ✙ ♥❂❵ entries o ✦ one widely in each linked list. p active Choose ❵ ✙ ♥ : q rts, etc. expect very short linked lists, r limits so very fast list operations. s ✦ six ✦ seven really (What if ♥ becomes too big? t ✦ two ✦ three ✦ ten . Rehash: replace ❵ by 2 ❵ .) . needed. ” .

Review of classic hash tables e.g. strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s ; ❵ = 256: Choose ❵ ✷ ❢ 1 ❀ 2 ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ . . . . Hash table: ❵ separate linked lists. e ✦ eight Store string s in list # ✐ f ✦ four ✦ five where ✐ = ❍ ( s ) mod ❵ . . . . With ♥ entries in table, n ✦ nine expect ✙ ♥❂❵ entries o ✦ one in each linked list. p Choose ❵ ✙ ♥ : q expect very short linked lists, r so very fast list operations. s ✦ six ✦ seven (What if ♥ becomes too big? t ✦ two ✦ three ✦ ten . Rehash: replace ❵ by 2 ❵ .) . .

of classic hash tables e.g. strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first s ❍ ( s ) = first byte of s ; ❵ = 256: is not a go ose ❵ ✷ ❢ 1 ❀ 2 ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ . . Typical strings . . table: ❵ separate linked lists. Very long e ✦ eight string s in list # ✐ f ✦ four ✦ five ✐ = ❍ ( s ) mod ❵ . In some . . . start with ♥ entries in table, n ✦ nine ✙ ♥❂❵ entries o ✦ one each linked list. p ose ❵ ✙ ♥ : q very short linked lists, r very fast list operations. s ✦ six ✦ seven if ♥ becomes too big? t ✦ two ✦ three ✦ ten . Rehash: replace ❵ by 2 ❵ .) . .

hash tables e.g. strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s ❍ ( s ) = first byte of s ; ❵ = 256: is not a good hash ❵ ✷ ❢ ❀ ❀ 4 ❀ 8 ❀ 16 ❀ ✿ ✿ ✿ ❣ . . Typical strings often . . ❵ separate linked lists. Very long t list; very e ✦ eight list # ✐ s f ✦ four ✦ five ✐ ❍ s mod ❵ . In some applications, . . . start with the same ♥ in table, n ✦ nine ✙ ♥❂❵ entries o ✦ one list. p ❵ ✙ ♥ q rt linked lists, r operations. s ✦ six ✦ seven ♥ ecomes too big? t ✦ two ✦ three ✦ ten . ❵ by 2 ❵ .) . .

tables e.g. strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s ❍ ( s ) = first byte of s ; ❵ = 256: is not a good hash function! ❵ ✷ ❢ ❀ ❀ ❀ ❀ ❀ ✿ ✿ ✿ ❣ . . Typical strings often start with . . ❵ linked lists. Very long t list; very slow. e ✦ eight s ✐ f ✦ four ✦ five ✐ ❍ s ❵ In some applications, most strings . . . start with the same letter. ♥ n ✦ nine ✙ ♥❂❵ o ✦ one p ❵ ✙ ♥ q lists, r erations. s ✦ six ✦ seven ♥ big? t ✦ two ✦ three ✦ ten . ❵ ❵ . .

e.g. strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s ❍ ( s ) = first byte of s ; ❵ = 256: is not a good hash function! . Typical strings often start with t . . . Very long t list; very slow. e ✦ eight f ✦ four ✦ five In some applications, most strings . . . start with the same letter. n ✦ nine o ✦ one p q r s ✦ six ✦ seven t ✦ two ✦ three ✦ ten . . .

e.g. strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s ❍ ( s ) = first byte of s ; ❵ = 256: is not a good hash function! . Typical strings often start with t . . . Very long t list; very slow. e ✦ eight f ✦ four ✦ five In some applications, most strings . . . start with the same letter. n ✦ nine So we use fast hash functions o ✦ one that look at the whole string s . p 60 years of programmers exploring q hash functions for hash tables r ✮ good speed for typical strings. s ✦ six ✦ seven t ✦ two ✦ three ✦ ten . . .

e.g. strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s ❍ ( s ) = first byte of s ; ❵ = 256: is not a good hash function! . Typical strings often start with t . . . Very long t list; very slow. e ✦ eight f ✦ four ✦ five In some applications, most strings . . . start with the same letter. n ✦ nine So we use fast hash functions o ✦ one that look at the whole string s . p 60 years of programmers exploring q hash functions for hash tables r ✮ good speed for typical strings. s ✦ six ✦ seven t ✦ two ✦ three ✦ ten What if the strings aren’t typical? . . .

strings one , two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s Hashing ❍ s first byte of s ; ❵ = 256: is not a good hash function! Attacker Typical strings often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ ❍ s ❵ Very long t list; very slow. ✁ ✁ ✁ = ❍ ( s ♥ ❵ ✦ eight ✦ four ✦ five In some applications, most strings Then all start with the same letter. in the same linked lis ✦ nine So we use fast hash functions ✦ that look at the whole string s . 60 years of programmers exploring hash functions for hash tables ✮ good speed for typical strings. ✦ ✦ seven ✦ ✦ three ✦ ten What if the strings aren’t typical?

, two , ✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s Hashing malicious ❍ s yte of s ; ❵ = 256: is not a good hash function! Attacker provides strings Typical strings often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s ❵ Very long t list; very slow. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ ✦ ✦ ✦ In some applications, most strings Then all strings are start with the same letter. in the same linked linked list becomes ✦ So we use fast hash functions ✦ that look at the whole string s . 60 years of programmers exploring hash functions for hash tables ✮ good speed for typical strings. ✦ ✦ ✦ ✦ ✦ ten What if the strings aren’t typical?

✿ ✿ ✿ , ten ; ❍ ( s ) = first byte of s Hashing malicious strings ❍ s s ❵ 256: is not a good hash function! Attacker provides strings Typical strings often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ Very long t list; very slow. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . ✦ ✦ ✦ In some applications, most strings Then all strings are stored start with the same letter. in the same linked list; linked list becomes very slow. ✦ So we use fast hash functions ✦ that look at the whole string s . 60 years of programmers exploring hash functions for hash tables ✮ good speed for typical strings. ✦ ✦ ✦ ✦ ✦ What if the strings aren’t typical?

❍ ( s ) = first byte of s Hashing malicious strings is not a good hash function! Attacker provides strings Typical strings often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = Very long t list; very slow. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . In some applications, most strings Then all strings are stored start with the same letter. in the same linked list; linked list becomes very slow. So we use fast hash functions that look at the whole string s . 60 years of programmers exploring hash functions for hash tables ✮ good speed for typical strings. What if the strings aren’t typical?

❍ ( s ) = first byte of s Hashing malicious strings is not a good hash function! Attacker provides strings Typical strings often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = Very long t list; very slow. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . In some applications, most strings Then all strings are stored start with the same letter. in the same linked list; linked list becomes very slow. So we use fast hash functions that look at the whole string s . Solution: Replace linked list by a safe tree structure, 60 years of programmers exploring at least if list is big. hash functions for hash tables ✮ good speed for typical strings. What if the strings aren’t typical?

❍ ( s ) = first byte of s Hashing malicious strings is not a good hash function! Attacker provides strings Typical strings often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = Very long t list; very slow. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . In some applications, most strings Then all strings are stored start with the same letter. in the same linked list; linked list becomes very slow. So we use fast hash functions that look at the whole string s . Solution: Replace linked list by a safe tree structure, 60 years of programmers exploring at least if list is big. hash functions for hash tables ✮ good speed for typical strings. But implementors are unhappy: this solution throws away the What if the strings aren’t typical? simplicity of hash tables.

❍ s first byte of s Hashing malicious strings December a good hash function! dnscache Attacker provides strings ❃ 41000000000000 ypical strings often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = from 50 long t list; very slow. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . if (++loop some applications, most strings Then all strings are stored /* to with the same letter. in the same linked list; hash linked list becomes very slow. use fast hash functions Discarding ok at the whole string s . Solution: Replace linked list trivially maintains by a safe tree structure, rs of programmers exploring if attacke at least if list is big. functions for hash tables But what ✮ d speed for typical strings. But implementors are unhappy: general-purp this solution throws away the if the strings aren’t typical? languages simplicity of hash tables. Can’t thro

❍ s yte of s Hashing malicious strings December 1999, Bernstein, hash function! dnscache software Attacker provides strings ❃ 41000000000000 often start with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = from 50 million Internet very slow. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . if (++loop > 100) applications, most strings Then all strings are stored /* to protect same letter. in the same linked list; hash flooding linked list becomes very slow. ash functions Discarding cache entries whole string s . Solution: Replace linked list trivially maintains by a safe tree structure, rogrammers exploring if attacker floods hash at least if list is big. or hash tables But what about ha ✮ for typical strings. But implementors are unhappy: general-purpose programming this solution throws away the strings aren’t typical? languages and libra simplicity of hash tables. Can’t throw entries

❍ s s Hashing malicious strings December 1999, Bernstein, function! dnscache software (OpenDNS: Attacker provides strings ❃ 41000000000000 DNS requests with t . s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = from 50 million Internet users): w. ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . if (++loop > 100) return most strings Then all strings are stored /* to protect against in the same linked list; hash flooding */ linked list becomes very slow. functions Discarding cache entries string s . Solution: Replace linked list trivially maintains performance by a safe tree structure, exploring if attacker floods hash table. at least if list is big. tables But what about hash tables ✮ strings. But implementors are unhappy: general-purpose programming this solution throws away the typical? languages and libraries? simplicity of hash tables. Can’t throw entries away!

Hashing malicious strings December 1999, Bernstein, dnscache software (OpenDNS: Attacker provides strings ❃ 41000000000000 DNS requests s 1 ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = from 50 million Internet users): ✁ ✁ ✁ = ❍ ( s ♥ ) mod ❵ . if (++loop > 100) return 0; Then all strings are stored /* to protect against in the same linked list; hash flooding */ linked list becomes very slow. Discarding cache entries Solution: Replace linked list trivially maintains performance by a safe tree structure, if attacker floods hash table. at least if list is big. But what about hash tables in But implementors are unhappy: general-purpose programming this solution throws away the languages and libraries? simplicity of hash tables. Can’t throw entries away!

Hashing malicious strings December 1999, Bernstein, Bad solution: dnscache software (OpenDNS: Use SHA-3 ❍ er provides strings ❃ 41000000000000 DNS requests SHA-3 is s ❀ ✿ ✿ ✿ ❀ s ♥ with ❍ ( s 1 ) mod ❵ = from 50 million Internet users): ✁ ✁ ✁ ❍ ( s ♥ ) mod ❵ . if (++loop > 100) return 0; all strings are stored /* to protect against same linked list; hash flooding */ list becomes very slow. Discarding cache entries Solution: Replace linked list trivially maintains performance safe tree structure, if attacker floods hash table. least if list is big. But what about hash tables in implementors are unhappy: general-purpose programming solution throws away the languages and libraries? simplicity of hash tables. Can’t throw entries away!

malicious strings December 1999, Bernstein, Bad solution: dnscache software (OpenDNS: Use SHA-3 for ❍ . rovides strings ❃ 41000000000000 DNS requests SHA-3 is collision-resistant! s ❀ ✿ ✿ ✿ ❀ s ♥ ❍ ( s 1 ) mod ❵ = from 50 million Internet users): ✁ ✁ ✁ ❍ s ♥ d ❵ . if (++loop > 100) return 0; are stored /* to protect against ed list; hash flooding */ ecomes very slow. Discarding cache entries Replace linked list trivially maintains performance ructure, if attacker floods hash table. big. But what about hash tables in rs are unhappy: general-purpose programming throws away the languages and libraries? hash tables. Can’t throw entries away!

December 1999, Bernstein, Bad solution: dnscache software (OpenDNS: Use SHA-3 for ❍ . ❃ 41000000000000 DNS requests SHA-3 is collision-resistant! s ❀ ✿ ✿ ✿ ❀ s ♥ ❍ s d ❵ = from 50 million Internet users): ✁ ✁ ✁ ❍ s ♥ ❵ if (++loop > 100) return 0; /* to protect against hash flooding */ slow. Discarding cache entries list trivially maintains performance if attacker floods hash table. But what about hash tables in unhappy: general-purpose programming the languages and libraries? Can’t throw entries away!

December 1999, Bernstein, Bad solution: dnscache software (OpenDNS: Use SHA-3 for ❍ . ❃ 41000000000000 DNS requests SHA-3 is collision-resistant! from 50 million Internet users): if (++loop > 100) return 0; /* to protect against hash flooding */ Discarding cache entries trivially maintains performance if attacker floods hash table. But what about hash tables in general-purpose programming languages and libraries? Can’t throw entries away!

December 1999, Bernstein, Bad solution: dnscache software (OpenDNS: Use SHA-3 for ❍ . ❃ 41000000000000 DNS requests SHA-3 is collision-resistant! from 50 million Internet users): Two reasons this is bad: 1. It’s very slow. if (++loop > 100) return 0; 2. It doesn’t solve the problem. /* to protect against hash flooding */ Discarding cache entries trivially maintains performance if attacker floods hash table. But what about hash tables in general-purpose programming languages and libraries? Can’t throw entries away!

December 1999, Bernstein, Bad solution: dnscache software (OpenDNS: Use SHA-3 for ❍ . ❃ 41000000000000 DNS requests SHA-3 is collision-resistant! from 50 million Internet users): Two reasons this is bad: 1. It’s very slow. if (++loop > 100) return 0; 2. It doesn’t solve the problem. /* to protect against hash flooding */ ❍ ( s ) mod ❵ Discarding cache entries is not collision-resistant. trivially maintains performance ❵ is small: e.g., ❵ = 2 20 . if attacker floods hash table. No matter how strong ❍ is, But what about hash tables in attacker can easily compute ❍ ( s ) mod 2 20 for many s general-purpose programming languages and libraries? to find multicollisions. Can’t throw entries away!

December 1999, Bernstein, Bad solution: 2003 USENIX dnscache software (OpenDNS: Use SHA-3 for ❍ . Symposium, ❃ 41000000000000 DNS requests SHA-3 is collision-resistant! “Denial of 50 million Internet users): algorithmic Two reasons this is bad: 1. It’s very slow. “We present (++loop > 100) return 0; 2. It doesn’t solve the problem. low-bandwidth to protect against attacks ✿ ✿ ✿ hash flooding */ ❍ ( s ) mod ❵ hashes to rding cache entries is not collision-resistant. the hash trivially maintains performance ❵ is small: e.g., ❵ = 2 20 . degenerate attacker floods hash table. No matter how strong ❍ is, Attack examples: what about hash tables in attacker can easily compute Perl programming ❍ ( s ) mod 2 20 for many s general-purpose programming Squid we languages and libraries? to find multicollisions. throw entries away!

Bernstein, Bad solution: 2003 USENIX Securit are (OpenDNS: Use SHA-3 for ❍ . Symposium, Crosb ❃ 41000000000000 DNS requests SHA-3 is collision-resistant! “Denial of service Internet users): algorithmic complexit Two reasons this is bad: 1. It’s very slow. “We present a new 100) return 0; 2. It doesn’t solve the problem. low-bandwidth denial protect against attacks ✿ ✿ ✿ if each flooding */ ❍ ( s ) mod ❵ hashes to the same entries is not collision-resistant. the hash table will maintains performance ❵ is small: e.g., ❵ = 2 20 . degenerate to a link ds hash table. No matter how strong ❍ is, Attack examples: hash tables in attacker can easily compute Perl programming ❍ ( s ) mod 2 20 for many s programming Squid web cache, etc. libraries? to find multicollisions. entries away!

Bernstein, Bad solution: 2003 USENIX Security enDNS: Use SHA-3 for ❍ . Symposium, Crosby–Wallach, ❃ requests SHA-3 is collision-resistant! “Denial of service via users): algorithmic complexity attacks”: Two reasons this is bad: 1. It’s very slow. “We present a new class of return 0; 2. It doesn’t solve the problem. low-bandwidth denial of service against attacks ✿ ✿ ✿ if each element ❍ ( s ) mod ❵ hashes to the same bucket, is not collision-resistant. the hash table will also rmance ❵ is small: e.g., ❵ = 2 20 . degenerate to a linked list.” table. No matter how strong ❍ is, Attack examples: tables in attacker can easily compute Perl programming language, ❍ ( s ) mod 2 20 for many s rogramming Squid web cache, etc. to find multicollisions.

Bad solution: 2003 USENIX Security Use SHA-3 for ❍ . Symposium, Crosby–Wallach, SHA-3 is collision-resistant! “Denial of service via algorithmic complexity attacks”: Two reasons this is bad: 1. It’s very slow. “We present a new class of 2. It doesn’t solve the problem. low-bandwidth denial of service attacks ✿ ✿ ✿ if each element ❍ ( s ) mod ❵ hashes to the same bucket, is not collision-resistant. the hash table will also ❵ is small: e.g., ❵ = 2 20 . degenerate to a linked list.” No matter how strong ❍ is, Attack examples: attacker can easily compute Perl programming language, ❍ ( s ) mod 2 20 for many s Squid web cache, etc. to find multicollisions.

solution: 2003 USENIX Security 2011 (28C3), SHA-3 for ❍ . Symposium, Crosby–Wallach, “Efficient is collision-resistant! “Denial of service via on web application algorithmic complexity attacks”: reasons this is bad: Java, JRub very slow. “We present a new class of Python 2, doesn’t solve the problem. low-bandwidth denial of service Ruby, Apache attacks ✿ ✿ ✿ if each element Tomcat, ❍ s mod ❵ hashes to the same bucket, Plone, Rack, collision-resistant. the hash table will also Engine. small: e.g., ❵ = 2 20 . ❵ degenerate to a linked list.” oCERT adviso matter how strong ❍ is, Attack examples: er can easily compute Application Perl programming language, ❍ s mod 2 20 for many s use secre ❍ Squid web cache, etc. multicollisions. ✿ ✿ ✿ but is

2003 USENIX Security 2011 (28C3), Klink–W ❍ . Symposium, Crosby–Wallach, “Efficient denial of collision-resistant! “Denial of service via on web application algorithmic complexity attacks”: this is bad: Java, JRuby, PHP w. “We present a new class of Python 2, Python solve the problem. low-bandwidth denial of service Ruby, Apache Geronimo, attacks ✿ ✿ ✿ if each element Tomcat, Oracle Glassfish, ❍ s ❵ hashes to the same bucket, Plone, Rack, V8 Javascript collision-resistant. the hash table will also Engine. ❵ = 2 20 . ❵ degenerate to a linked list.” oCERT advisory 2011–003. strong ❍ is, Attack examples: easily compute Application response: Perl programming language, ❍ s r many s use secret key to randomize ❍ Squid web cache, etc. multicollisions. ✿ ✿ ✿ but is this secure?

2003 USENIX Security 2011 (28C3), Klink–W¨ alde, ❍ Symposium, Crosby–Wallach, “Efficient denial of service attacks collision-resistant! “Denial of service via on web application platforms”: algorithmic complexity attacks”: Java, JRuby, PHP 4, PHP 5, “We present a new class of Python 2, Python 3, Rubinius, roblem. low-bandwidth denial of service Ruby, Apache Geronimo, Apache attacks ✿ ✿ ✿ if each element Tomcat, Oracle Glassfish, Jett ❍ s ❵ hashes to the same bucket, Plone, Rack, V8 Javascript the hash table will also Engine. ❵ ❵ degenerate to a linked list.” oCERT advisory 2011–003. ❍ is, Attack examples: compute Application response: Perl programming language, ❍ s s use secret key to randomize ❍ Squid web cache, etc. ✿ ✿ ✿ but is this secure?

2003 USENIX Security 2011 (28C3), Klink–W¨ alde, Symposium, Crosby–Wallach, “Efficient denial of service attacks “Denial of service via on web application platforms”: algorithmic complexity attacks”: Java, JRuby, PHP 4, PHP 5, “We present a new class of Python 2, Python 3, Rubinius, low-bandwidth denial of service Ruby, Apache Geronimo, Apache attacks ✿ ✿ ✿ if each element Tomcat, Oracle Glassfish, Jetty, hashes to the same bucket, Plone, Rack, V8 Javascript the hash table will also Engine. degenerate to a linked list.” oCERT advisory 2011–003. Attack examples: Application response: Perl programming language, use secret key to randomize ❍ . Squid web cache, etc. ✿ ✿ ✿ but is this secure?

“ used in code by Google, Microsoft, Yahoo, and many others ”

“ successor to MurmurHash2 ”

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed ^ len; whi while le (len >= 8) { uint64_t k = *(uint64_t*)data; k *= m; k ^= k >> 24; k *= m; h *= m; h ^= k; data += 8; len -= 8; }

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed seed ^ len; whi while le (len >= 8) { uint64_t k = *(uint64_t*)data; k *= m; k ^= k >> 24; k *= m; h *= m; h ^= k; data += 8; len -= 8; }

… /* finalization */ swi witch tch (len) { case case 7: h ^= data[6] << 48; case case 6: h ^= data[5] << 40; case case 5: h ^= data[4] << 32; case case 4: h ^= data[3] << 24; case case 3: h ^= data[2] << 16; case case 2: h ^= data[1] << 8; case case 1: h ^= data[0]; h *= m; }; …

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed ^ len; whi while le (len >= 8) { /* fi first rst b block ock */ uint64_t k = *(uint64_t*)data; k *= m; /* in injec ject t diff iffer erenc ence e D1 1 */ k ^= k >> 24; k *= m; h *= m; h ^= k; data += 8; len -= 8; }

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed ^ len; whi while le (len >= 8) { /* fi first rst b block ock */ uint64_t k = *(uint64_t*)data; k *= m; /* in injec ject t diff iffer erenc ence e D1 1 */ k ^= k >> 24; k *= m; /* dif diff f in k n k: : 0x8 0x800 000000 00000 00000 00000 0000 */ h *= m; h ^= k; data += 8; len -= 8; }

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed ^ len; whi while le (len >= 8) { /* fi first rst b block ock */ uint64_t k = *(uint64_t*)data; k *= m; /* in injec ject t diff iffer erenc ence e D1 1 */ k ^= k >> 24; k *= m; /* dif diff f in k n k: : 0x8 0x800 000000 00000 00000 00000 0000 */ h *= m; h ^= k; /* di diff ff in in h: h: 0x 0x800 80000 000000 00000 00000 00000 00 */ data += 8; len -= 8; }

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed ^ len; whi while le (len >= 8) { /* se secon cond d bloc lock k */ uint64_t k = *(uint64_t*)data; k *= m; /* in injec ject t diff iffer erenc ence e D2 2 */ k ^= k >> 24; k *= m; /* di diff ff in in k: k: 0x 0x800 80000 000000 00000 00000 00000 00 */ h *= m; h ^= k; data += 8; len -= 8; }

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed ^ len; whi while le (len >= 8) { /* se secon cond d bloc lock k */ uint64_t k = *(uint64_t*)data; k *= m; /* in injec ject t diff iffer erenc ence e D2 2 */ k ^= k >> 24; k *= m; /* di diff ff in in k: k: 0x 0x800 80000 000000 00000 00000 00000 00 */ h *= m; /* di diff ff in in h s h sti till: ll: 0x800 80000 00000 00000 000000 00000 00 */ h ^= k; data += 8; len -= 8; }

con const st uint64_t m = (0xc6a4a793 << 32) | 0x5bd1e995; uint64_t h = seed ^ len; whi while le (len >= 8) { /* se secon cond d bloc lock k */ uint64_t k = *(uint64_t*)data; k *= m; /* in injec ject t diff iffer erenc ence e D2 2 */ k ^= k >> 24; k *= m; /* di diff ff in in k: k: 0x 0x800 80000 000000 00000 00000 00000 00 */ h *= m; /* di diff ff in in h s h sti till: ll: 0x800 80000 00000 00000 000000 00000 00 */ h ^= k; /* CO COLLI LLISI SION ! N !!! !! (0 (0x80 x80.. ... ^ ^ 0x 0x80. 80... .. = 0 = 0) ) */ data += 8; len -= 8; }

M1 M3 M2 M4 M5 M6 collision collision collision

http://crypto.junod.info/2012/12/13/hash-dos-and-btrfs/

def ef parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end end return params.to_params_hash end nd

def ef unescape(s, encoding = Encoding::UTF_8) URI.decode_www_form_component(s, encoding) end nd

def ef self.decode_www_form_component(str, enc=Encoding::UTF_8) raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc) end nd

def ef parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end end return params.to_params_hash end nd

def ef normalize_params(params, name, v = nil) name =~ %r(\A[\[\]]*([^\[\]]+)\]*) k = $1 || '' … end nd