Denial of Service Attacks

Jan 15 2012 2:00 PM JAN 15 2012 2:00 PM
PHP Vulnerbility, (DoS attacks), (DDoS attacks)Hacking | PHP

Denial of Service Attacks or (DoS Attacks) or (DDoS Attacks) are a common battle in the web world. They involve a repeated ping or call on a server. The goal is to make the server/website unavailable.

I do my best to keep up to date on the latest hacks and not to mention old hacks resurfacing. One of these issues seems to be coming up again. And that has to do with PHP's $_GET, $_REQUEST, and $_POST variables.

These are excellent ways of creating heavy loads on a server if the maxium allowed variables is to high. Not to mention if each one of those variables is not limited it could potentially unleash a lethal Denial of Service attack on a victim hosing and destroying there CPU's.

What is the issue?

The issue is what they call a "Hash Collision Vulnerbility." In PHP is its runtime engine that runs in C. It reads the HTTP request data and then translates this into an "array." Which if you know anything about other languages you now that an array is a finite size and any time you want to change it you have to create another and fill it with the previous. They call these "Hash Tables."

PHPClasses Article describes it this way:

In C and other languages, arrays are implemented as data structures called hash tables. In simplistic terms, hash tables are arrays of linked lists of entries. These arrays have a fixed size.

So think about everytime your array changes in size it has to be rebuilt. They call this a Hash Collision Vulnerbility. Combining this with the number of $_POST, $_GET, and $_REQUEST from our HTTP requests you then get a wonderful Denial of Service Attack Vulnerbility.

What should I do?

Upgrade... If you are not on a shared server platform but a VPS or Private server solution your best bet for preventing this is to upgrade to the latest version of PHP. In PHP 5.3.9 or higher has a new PHP.ini field called, "max_input_vars."

This is defaulted to 1000 in most cases and you will want to reduce this drastically. If you can calculate how many variables you might need in one go then I would find this. In most cases I don't see a need for more than 100. But depending on your application you may need more.

This really is a huge issue and should not be taken lightly. If your application cannot be upgraded you may want to look into some other options Suhosin is a great option if you cannot directly update your PHP.

 

Links:

http://www.phpclasses.org/blog/post/171-PHP-Vulnerability-May-Halt-Millions-of-Servers.html

http://www.hardened-php.net/suhosin/

Social Media

Categories