• Corpus ID: 10663157

Denial of Service via Algorithmic Complexity Attacks

  title={Denial of Service via Algorithmic Complexity Attacks},
  author={Scott A. Crosby and Dan S. Wallach},
  booktitle={USENIX Security Symposium},
We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. [] Key Result We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.

Figures and Tables from this paper

Remote Algorithmic Complexity Attacks against Randomized Hash Tables
This work demonstrates how the attacker can defeat this protection of per-connection state in a hash table, and demonstrates how to discover this secret value, and to do so remotely, using network traffic.
Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks
This work is presenting a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common application data structures and showing that Closed Hash is much more vulnerable to DDoS attacks than Open Hash.
Algorithmic attacks and timing leaks in distributed systems
This thesis analyzes the opportunities for determining a party’s secret by analyzing processing time remotely over the Internet and defines a new class of attacks that perform a remote denial of service by deliberately choo sing inputs to make common algorithms slow.
Algorithmic Complexity Vulnerability Analysis of a Stateful Firewall
The experimental results using a real life network topology show that by generating undetected low bandwidth but malicious network traffic causing collisions in the firewall’s hash table the authors cause the firewall to become unreachable or even announce a segmentation fault and reboot itself.
A Middleware System for Protecting Against Application Level Denial of Service Attacks
Recently, we have seen increasing numbers of denial of service (DoS) attacks against online services and web applications either for extortion reasons, or for impairing and even disabling the
Bolt: I Know What You Did Last Summer... In The Cloud
Bolt is presented, a practical system that accurately detects the type and characteristics of applications sharing a cloud platform based on the interference an adversary sees on shared resources, and leverages online data mining techniques that only require 2-5 seconds for detection.
Mitigating application-level denial of service attacks on Web servers: A client-transparent approach
This article proposes handling DoS attacks by using a twofold mechanism based on port hiding that renders the online service invisible to unauthorized clients by hiding the port number on which the service accepts incoming requests and performs congestion control on admitted clients to allocate more resources to good clients.
The scope of DDoS problem is described in possible comprehensive capacity to stimulate research into efficient creative an effective ramparts, detection mechanism and methods for such attacks.
The Power of Evil Choices in Bloom Filters
This work constructs adversary models for Bloom filters and illustrates attacks on three applications, namely SCRAPY web spider, BITLY DABLOOMS spam filter and SQUID cache proxy and proposes several other countermeasures to mitigate the attacks.
Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks
It is demonstrated that it protects two of the most popular web applications, WordPress and Drupal, from real-world and synthetic CPU-exhaustion DoS attacks, and it is shown that RAMPART preserves web server performance with low false positive rate and low false negative rate.


Using Client Puzzles to Protect TLS
Measurements of CPU load and latency when the modified library is used to protect a secure webserver show that client puzzles are a viable method for protecting SSL servers from SSL based denial-of-service attacks.
Universal Classes of Hash Functions
Randomized search trees
A randomized strategy for maintaining balance in dynamically changing search trees that has optimalexpected behavior, and generalizes naturally to weighted trees, where the expected time bounds for accesses and updates again match the worst-case time bounds of the best deterministic methods.
Defensive programming: using an annotation toolkit to build DoS-resistant software
A toolkit to help improve the robustness of code against DoS attacks by systematically injecting protection mechanisms into the code itself and evaluation of its effectiveness with three widely-deployed network services is presented.
This paper shows how one of these message authentication systems can hash messages at extremely high speed—much more quickly than previous systems at the same security level—using IEEE floating-point arithmetic.
A case for caching file objects inside internetworks
Evidence is presented that several, judiciously placed file caches could reduce the volume of FTP traffic by 42%, and hence theVolume of all NSFNET backbone traffic by 21%, and if FTP client and server software automatically compressed data, this savings could increase to 27%.
The BSD Packet Filter: A New Architecture for User-level Packet Capture
The BSD Packet Filter (BPF) uses a new, register-based filter evaluator that is up to 20 times faster than the original design, and uses a straighforward buffering strategy that makes its overall performance up to 100 times better than Sun's NIT running on the same hardware.
Self-adjusting binary search trees
The splay tree, a self-adjusting form of binary search tree, is developed and analyzed and is found to be as efficient as balanced trees when total running time is the measure of interest.
HMAC: Keyed-Hashing for Message Authentication
This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in