Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Algorithmic Bugs
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 10 Jan 2007 12:37:11 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Best paper at a conference I went to recently here in Miami Beach.


http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf

Summery:
You can send a remarkably small stream of data at a NIDS and cause it
to go to 100% CPU and stop doing analysis if you send the RIGHT stream
of data. This is basically undetectable (i.e. does not crash snort).
Was fixed in Snort 2.6.1 (I believe). Some snort rules have a 1
million to 1 expansion if you do it right (from what I read - I
haven't tested this out yet - but it would make a great CANVAS module!)

The presentation is clearer than the paper. I hope they put it online.

Similar bugs exist in major commercial Python exploitation frameworks
(i.e. you can tartrap CANVAS if you do it right). The more high level
the language, the easier it is to get caught by something like this.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFpSRFB8JNm+PA+iURAg/UAKDa+8OfY4AKO5lZnpvmoO9QqnQ5BQCghwWK
VCbaxHVE4JImfXyaKqyVsN4=
=6bSm
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]