In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and con- figuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.
In the compression hornet's nest: A security study of data compression in network services
USENIX 2015, 24th USENIX Security Symposium, August 12-14, 2015, Washington DC, USA
Copyright Usenix. Personal use of this material is permitted. The definitive version of this paper was published in USENIX 2015, 24th USENIX Security Symposium, August 12-14, 2015, Washington DC, USA and is available at :
PERMALINK : https://www.eurecom.fr/publication/4608