Hidden Algorithm Flaws Expose Websites to DoS Attacks

WIRED | 8/8/2019 | Lily Hay Newman
jesse456 (Posted by) Level 3
Click For Photo: https://media.wired.com/photos/5d48aad83f2a1a0008216466/191:100/pass/Algorithmic%20Complexity%20DDoS.jpg

This week, the notorious forum 8chan went down after its infrastructure provider Cloudflare withdrew its services over the forum's radical, violence-promoting content. Cloudflare didn't shut the site down directly, but by removing its protection against distributed denial of service attacks, it could all but guarantee that the forum would crash. But while the classic types of DDoS attack, which overwhelm a site with junk traffic, have persisted and evolved across the web, researchers are warning about a new spinoff: subtle attacks that target not server capacity, but algorithms.

Many websites and services rely on algorithms to transform data inputs into actions and results. But new research detailed at the Black Hat cybersecurity conference Thursday shows how a small, seemingly innocuous input for an algorithm can cause it to do a huge amount of work—slowing a service down or crashing it entirely in the process, all with just a few bytes.

Hay - Newman - Information - Security - Privacy

Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.

Nathan Hauke and David Renardy of the security firm Two Six Labs started looking for these "algorithmic complexity" issues in mainstream services, and quickly found them in PDF readers, remote desktop servers, and a popular password strength evaluation tool. And their research showed that with some carefully crafted inputs they could bring all of those services to a halt. Troublingly, these vulnerabilities aren't really software bugs that can be easily patched or fixed. They're fundamental issues in the way algorithms are built and implemented that allow a tiny input to generate major resource drain.

Situation - Developers - Algorithm - Performance - Renardy

"It's a situation where developers have implemented some algorithm that has unacceptable worst-case performance," says Renardy. "We looked at three different sets of software unrelated to one another—totally different algorithms, totally different situations—and found that they all suffer from a similar type of vulnerability."

PDF readers represent an especially...
(Excerpt) Read more at: WIRED
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!