application-level denial of service

21

Vladimir Garbuz FILLING THE VOID: Application-level DoS

Upload: vladimir-garbuz

Post on 22-Jan-2017

98 views

Category:

Software

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Application-level Denial of Service

Vladimir Garbuz

FILLING THE VOID:Application-level DoS

Page 2: Application-level Denial of Service

fear the XML: billion laughs

Page 3: Application-level Denial of Service

fear the XML: oversized XXE

Page 4: Application-level Denial of Service

fear the XML: soap arrays

Page 5: Application-level Denial of Service

fear the XML: too much to handle

Page 6: Application-level Denial of Service

fear the XML: large soap for DOM parsers

Page 7: Application-level Denial of Service

fear the XML: xslt processing

Page 8: Application-level Denial of Service

fear the XML: signatures - many, xslt

Page 9: Application-level Denial of Service

fear the XML: signatures – RetrievalMethod

Page 10: Application-level Denial of Service

fear the XML: signatures/encryption reference

Page 11: Application-level Denial of Service

fear the XML: nested encryption

Page 12: Application-level Denial of Service

processing oversized data

Page 13: Application-level Denial of Service

REDoS – catastrophic backtracking

Page 14: Application-level Denial of Service

complex operations – look-alike, globbing, etc

Page 15: Application-level Denial of Service

logic fuckups – multiple sorting, grouping, etc

Page 16: Application-level Denial of Service

zero-bytes in input

Page 17: Application-level Denial of Service

unpacking: recursion

Page 18: Application-level Denial of Service

unpacking: large low-entropy data

Page 19: Application-level Denial of Service

heavy functionality invokation

Page 20: Application-level Denial of Service

slow HTTP

Page 21: Application-level Denial of Service

Questions and Discussion

Application (Trustee Level)

A Better Measure of Mortgage Application Denial Rates...All denied applications come from the LCP pool, so the real denial rate (RDR) for LCP applications is 245,594 divided by 625,323,

Threats: Network Level - Web Home | ECS | Victoria ...homepages.ecs.vuw.ac.nz/foswiki/pub/Users/Ian/SCIE... · Application-level Denial of Service • Applications: • Network services,

Application-Level Attacks, Network-Level Defenses

Empirical Study of Tolerating Denial-of-Service Attacks ... · 2.1 Internet Applications & Denial-of-Service Attacks Figure 1 Internet Application and DoS Attacks Figure 1 illustrates

Denial of Spectrum Denial - Spectrum Authority

Mapping High-Level Application Requirements onto Low-Level ...file.scirp.org/pdf/JSEA20121100006_99410523.pdf · Mapping High-Level Application Requirements onto Low-Level Cloud Resources

Denial-of-Service (DoS) & Web Attackscs161/sp11/slides/2.17.dos-web.pdf · Transport-Level Denial-of-Service •Recall TCP’s 3-way connection establishment handshake –Goal: agree

Defending Against Application Denial of Service Attacks · 2019. 3. 4. · Introduction As we discussed last year in Defending Against Denial of Service Attacks1, attackers increasingly

Fiance Visa Application Denial because of DOMA (August 10, 2005)

Detection of Denial of Service Attacks on Application ...epubs.surrey.ac.uk/807702/2/Detection of Denial Of Service Attacks... · Detection of Denial of Service Attacks on Application

GEORGIA WIC PROGRAM APPLICATION FOR VENDOR … · application may result in denial of the application or termination of the vendor agreement. Check (√) one A. New Application Re-Authorization

Detecting Application Denial of Service

Application Denial of Service - OWASP · Title: Microsoft PowerPoint - Application DoS.ppt [Read-Only] Author: ofer Created Date: 5/31/2007 4:51:45 PM

Avaya Aura™ Communication Manager Denial Events · 2009-04-28 · Issue 1 May 2009 7 Denial Events Denial Events are logged in the Communication Manager denial event log. The denial

PUBLIC HOUSING PRE-APPLICATION PACKET · PUBLIC HOUSING PRE-APPLICATION PACKET ... If you receive a denial of assistance or ... UNITS BECOME AVAILABLE FOR RENT

Anatomy of Denial of Service Attack and Defense in a Lab … · What is Denial of Service Attack? 23rd Annual Computer Security Application Conference z“Attack in which the primary

Application (General Level)

P2P. Application-level overlays Focus at the application level

Fast and Flexible Application-Level Networking on ...tocs.pdfFast and Flexible Application-Level Networking † 51 Application-level networking has the potential to eliminate these

Application Level Web Security

Efficient Denial of Service Attacks on Web Application ...events.ccc.de/.../2007...web_application_platforms.pdfEfficient Denial of Service Attacks on Web Application Platforms Alexander

Denial of Service Attacks. Understanding to Denial of Services

Efficient Denial of Service Attacks on Web Application Platforms · 2016-11-23 · Efficient Denial of Service Attacks on Web Application Platforms Alexander “alech” Klink n.runs

Fast and Flexible Application-Level Networking on ...engler/exo-tocs.pdfFast and Flexible Application-Level Networking † 51 Application-level networking has the potential to eliminate

Exploring application level semantics

IJCSIS Hybrid Multi-Level Intrusion Detection€¦ · detection level identifies attacks of denial of service and probe attacks. The proposed system is a hybrid multi-level system

International Undergraduate Application for Admission€¦ · · 2018-04-28processing your application or denial of admission. ... (Include country code) Student email address,

2013 ERA & DENIAL MANAGER - Practice Insight ERA Document Final.pdf · The ERA Denial Manager is built with workflow in mind. This application as well as the Task Manager application

Temporal Lensing and its Application in Pulsing Denial-of-Service

PUBLIC NOTICE Board.pdfNEW LICENSE APPLICATION DENIAL HEARINGS 10:00A.M. 6. NEW APPLICATION DENIAL HEARING (Continued from July 23, 2015) – For Possible Action: A R B H LLC Alan

Application Denial of Service - Quotium...Denial of Service attacks are not new and have been around before the days of the internet. DoS attacks were recorded in telephony days, utilizing

Defending Against Application Denial of Service …...Defending Against Application Denial of Service Attacks Version 1.6 Released: December 20, 2013 Securosis, L.L.C. 515 E. Carefree

Capítulo 11 DoS - Denial of Service DDoS - Distributed Denial of Service DRDoS - Distributed Reflection Denial of Service

Application of high-level decision diagrams for … · Application of high-level decision diagrams for simulation ... called High-Level Decision Diagrams ... level decision diagrams