Any ideas about Liftweb regarding the "DoS against Web Application Platforms" Talk yesterday on 28c3?
52 views
Skip to first unread message
Franz Bettag
Dec 29, 2011, 5:43:13 AM12/29/11
to Lift
Good Morning,
yesterday ive been following the 28th Chaos Communication Congress and
saw the Talk about "DoS against Web Application Platforms". It's
really interesting, since most implementations use non-randomized
hashing functions.
The whole paper can be found here
http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
I am not sure if this has to be done on Container-level (Jetty,
Tomcat) or if this is somehow "fixable" from the Lift perspective.
(didn't dig too much into the layer how to lift interacts with the
container).
thanks in advance!
yesterday ive been following the 28th Chaos Communication Congress and
saw the Talk about "DoS against Web Application Platforms". It's
really interesting, since most implementations use non-randomized
hashing functions.
The whole paper can be found here
http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
I am not sure if this has to be done on Container-level (Jetty,
Tomcat) or if this is somehow "fixable" from the Lift perspective.
(didn't dig too much into the layer how to lift interacts with the
container).
thanks in advance!
David Pollak
Dec 29, 2011, 7:17:31 PM12/29/11
to lif...@googlegroups.com
Interesting. Please open a ticket referencing this thread and the paper and I'll work on it.
--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
Visi.Pro, Cloud Computing for the Rest of Us http://visi.pro
Lift, the simply functional web framework http://liftweb.netFranz Bettag
Dec 29, 2011, 9:19:29 PM12/29/11
to Lift
strange, i created a ticket but i cannot seem to find it. hmmm
On Dec 30, 1:17 am, David Pollak <feeder.of.the.be...@gmail.com>
wrote:
> Lift, the simply functional web frameworkhttp://liftweb.net
On Dec 30, 1:17 am, David Pollak <feeder.of.the.be...@gmail.com>
wrote:
> Interesting. Please open a ticket referencing this thread and the paper
> and I'll work on it.
>
>
>
>
>
>
>
>
>
> On Thu, Dec 29, 2011 at 2:43 AM, Franz Bettag <fr...@bett.ag> wrote:
> > Good Morning,
>
> > yesterday ive been following the 28th Chaos Communication Congress and
> > saw the Talk about "DoS against Web Application Platforms". It's
> > really interesting, since most implementations use non-randomized
> > hashing functions.
>
> > The whole paper can be found here
>
> >http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Eff...
> and I'll work on it.
>
>
>
>
>
>
>
>
>
> On Thu, Dec 29, 2011 at 2:43 AM, Franz Bettag <fr...@bett.ag> wrote:
> > Good Morning,
>
> > yesterday ive been following the 28th Chaos Communication Congress and
> > saw the Talk about "DoS against Web Application Platforms". It's
> > really interesting, since most implementations use non-randomized
> > hashing functions.
>
> > The whole paper can be found here
>
>
> > I am not sure if this has to be done on Container-level (Jetty,
> > Tomcat) or if this is somehow "fixable" from the Lift perspective.
> > (didn't dig too much into the layer how to lift interacts with the
> > container).
>
> > thanks in advance!
>
> > --
> > Lift, the simply functional web framework:http://liftweb.net
> > Code:http://github.com/lift
> > Discussion:http://groups.google.com/group/liftweb
> > Stuck? Help us help you:
> >https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> --
> Visi.Pro, Cloud Computing for the Rest of Ushttp://visi.pro
> > I am not sure if this has to be done on Container-level (Jetty,
> > Tomcat) or if this is somehow "fixable" from the Lift perspective.
> > (didn't dig too much into the layer how to lift interacts with the
> > container).
>
> > thanks in advance!
>
> > --
> > Lift, the simply functional web framework:http://liftweb.net
> > Code:http://github.com/lift
> > Discussion:http://groups.google.com/group/liftweb
> > Stuck? Help us help you:
> >https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> --
> Lift, the simply functional web frameworkhttp://liftweb.net
Sandeep Shekhar Prasad
Dec 29, 2011, 10:31:54 PM12/29/11
to lif...@googlegroups.com
Franz Bettag
Dec 30, 2011, 7:25:30 AM12/30/11
to Lift
Peter Petersson
Dec 30, 2011, 7:49:49 AM12/30/11
to lif...@googlegroups.com
Interesting read, it seem like Microsoft is taking this "extraordinary"
serious
http://developers.slashdot.org/story/11/12/29/1352219/microsoft-issuing-unusual-out-of-band-security-update
serious
http://developers.slashdot.org/story/11/12/29/1352219/microsoft-issuing-unusual-out-of-band-security-update
David Pollak
Dec 30, 2011, 9:44:25 AM12/30/11
to lif...@googlegroups.com
If anyone has code that will generate hash collisions for java strings, I'd love to have that code to test the fix.
Diego Medina
Dec 30, 2011, 11:26:41 AM12/30/11
to lif...@googlegroups.com
This may help
https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
Regards
Diego
Diego
Sent from my android cell
Florian Hars
Dec 31, 2011, 9:20:10 AM12/31/11
to lif...@googlegroups.com
Am 30.12.2011 15:44, schrieb David Pollak:
> If anyone has code that will generate hash collisions for java strings, I'd love to have that code to test the fix.
> If anyone has code that will generate hash collisions for java strings, I'd love to have that code to test the fix.
Once you have two colliding strings, you can build as many as you
want, see the attached file. The collisions(n) produces an array
with pow(2,n) colliding strings.
And when trying to make sure that all the generated strings are in
fact different, I first tired to use res.toSet.size, but the mutable
Set is based on a hash table, talking about DOSing yourself...
- Florian.
David Pollak
Jan 3, 2012, 2:43:40 PM1/3/12
to lif...@googlegroups.com
Super-cool!
- Florian.
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
Lift, the simply functional web framework http://liftweb.net
Sören Kress
Jan 3, 2012, 5:09:20 PM1/3/12
to lif...@googlegroups.com
Just for the record: there is also a discussion on Scala-User: https://groups.google.com/d/topic/scala-user/YlxS0YvdR68/discussion
Reply all
Reply to author
Forward
0 new messages