Slashdot Mirror

← Back to Stories (view on slashdot.org)

Denial of Service via Algorithmic Complexity

Posted by michael on from the advanced-topics dept.

dss902 writes "We (Department of Computer Science, Rice University) present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures... Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks."

3 of 257 comments (clear)

  1. I don't know which is worse... by RedLeg · · Score: 0, Troll
    These dipshits (yes, I said dipshits) publishing a paper like this without taking positive steps to make sure that maintainers of vulnerable packages were aware of the issues and had the chance to implement and publish fixes, and most importantly, get them deployed into the field, prior to publication

    OR

    Some random Slashdot Editor posting links to it, thereby calling the attention of the whole damn world to the fact that this class of vulnerability exists, apparently without fixes.

    Yes, I know, "Security through Obscurity is no Security at All." On the other hand, in a multi-layered security environment (think defense in depth), obscurity, or secrecy IS a valid (albeit thin) layer. This just eliminated that layer.

    Thanks, dipshits, and Slashdot, for making the world a WORSE place.

  2. This is all part of the game in academia by lukme · · Score: 0, Troll

    It is publish or perish at most universities and even most colleges.

    They just found a topic to publish a paper on that extends things a little bit. This paper will then be footnoted by other researchers along with hundreds of other footnotes.

    Very little published is new or even remotely creative - creativity is something that I have found is supressed by academia.

    I suggest that if there are any questions, we as the slashdot community should collectively send them our pertinate questions.

  3. One down for open source? by Bish.dk · · Score: 0, Troll

    Such attacks will mostly be possible when you have access to the source-code of a program, and can look through it to find weak algorithmic parts.

    I guess it's harder to do this on a proprietary system. Perhaps this the "Open source is less secure"-argument that MS has been hoping for?