Major design flaw found on most web platforms, leading to DoS

Two guys from Germany conducted a presentation two days ago at the 28c3 conference in Berlin about efficient Denial-of-Service attacks.

The described attack utilizes a common mechanism design flaw that can lead to an easy to conduct DoS, the vulnerability was found in most of web technologies including .NET, PHP, and Java, amongst others.

On the technical side they have harnessed a feature in the POST mechanism that translates the data to a deterministic hash table and by engineering the provided input to result in a hash collision condition, they can achieve a very efficient Denial-of-Service.

They released an advisory containing the details on the attack and some numbers to glance over.

http://www.nruns.com/_downloads/advisory28122011.pdf

The actual video of their presentation can be downloaded here or by torrent.

Ruby was fast to respond and Microsoft responded with a partial fix yesterday. Others are expected to be releasing their appropriate patches over the weekend.