Hash Algorithm Collisions

2012-01-27

At the 28th Chaos Communication Congress Alexander Klink and Julian Wälde presented a talk about a very effective Denial Of Service attack which targets all major web development platforms (PHP, Java, .NET, Python, ...).

The recording of the presentation can be watched on YouTube and the slides of the presentation are also available in PDF format

Because the response from vendors was lame, to say the least, I wondered what could be done while the fundamental problem was being fixed ... or not. In particular the reaction from Oracle was very disappointing.

As most of my customers use a Java platform and several use PHP I was looking for a solution until the vendors fixed their product.

One customer with several Tomcat web containers, PHP servers and a Python based Plone content management system uses an Apache reverse proxy to unify all these servers and applications behind their main website URL. This got me thinking about a solution which leverages this single entry point.

So I set out to write an Apache module which filters attacks against the Java and PHP string hashing algorithms. The Python server is not that vulnerable because it runs on a 64bit Python engine.

The module is in testing and seems to hold off the attacks pretty good. As soon as I'm sure the module doesn't drop valid packets I'll upload the code to github.

Just checked the oCert site. The page claims some fixes but I would qualify these updates as workarounds.