HashTable DoS

HashTable DoS 탐지 방안으로 MS社에서는 아래와 같은 룰을 제공하였다.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”DOS generic web server hashing collision attack”; flow:established,to_server; content:”Content-Type|3A| application|2F|x-www-form-urlencoded”; nocase; http_header; pcre:”/([^=]+=[^&]*&){500}/OP”; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; classtype:attempted-dos; sid:20823; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”DOS generic web server hashing collision attack”; flow:established,to_server; content:”Content-Type|3A| multipart/form-data”; nocase; http_header; pcre:”/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){500}/OPsmi”; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; classtype:attempted-dos; sid:20824; rev:1;)

참고자료 :

–  http://blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx

–  http://www.exploit-db.com/exploits/18296/

–  http://www.exploit-db.com/exploits/18305/

 

 

 

 

Advertisements

About this entry