(2015) In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services.
|
Text
compr_usenix15.pdf Download (201kB) | Preview |
Abstract
In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and configuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Additional Information: | pub_id: 1019 Bibtex: 190996 URL date: None |
| Uncontrolled Keywords: | dos,network services,web security |
| Divisions: | Christian Rossow (System Security Group, SysSec) |
| Conference: | USENIX-Security Usenix Security Symposium |
| Depositing User: | Sebastian Weisgerber |
| Date Deposited: | 26 Jul 2017 10:30 |
| Last Modified: | 18 Jul 2019 12:12 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/506 |
Actions
Actions (login required)
 |
View Item |