Maintainers, Slowloris/2, Kobold Letters - April 1st - 7th, 2024 - F5 SIRT - This Week in Security


Hello again, Kyle Fox here.     This week we have some shorter bits about things, in which I promise two more future articles, which I think means I am up to three non-TWIS articles in the pipeline.


We have to talk about project maintainers again.

We have all seen that one XKCD comic about dependency maintainers.   The xz situation has resurfaced a common plea from Open Source maintainers:  We need funds and help.    I don't have any real deep commentary here, just a plea that companies heavily dependent on Open Source projects should consider giving back to the community by retaining internal SMEs who can help projects resolve issues by submitting bug fixes, contribute to those projects financially, and possibly consider hiring internal people to work on the major features they want out of these projects.    Platforms like GitHub may be able to help by moderating discussions to keep project maintainers from being abused by users.    And the community should work better at being a positive force for change.


And the same goes for conferences, some of us spend lots of time working on all the little details so you can go to DEF CON, have parties to go to, things to hack and places to hack them in.    Its easy to look at something like DEF CON and think that its just another industry conference and everyone is being paid to be there, but very few people are paid to be there.    I will further discuss this soon in a post about the current DEF CON situation and venues.


Is the HTTP/2 CONTINUATION Attack Just Slowloris/2?

On April 3rd the industry got wind of a new attack on HTTP/2, this time you could consume resources by sending a steady stream of CONTINUATION frames, leaving the connection open and consuming resources.    This came on the tail end of the HTTP/2 Rapid Reset attack, which consumed resources in an orthogonal way.   If this attack sounds familiar, its because it is almost the same attack for HTTP/2 as the Slowloris attack was for HTTP/1.1.   You could also compare it to the Slow POST attack as well.


How Slowloris worked, for those who may have forgotten since 2009, is the attacker will send a HTTP/1.1 request to a webserver and then slowly send one header at a time, holding the connection open for a very long time with limited traffic.   On susceptible webservers they would only need to send headers fast enough to keep the TCP connection from timing out, since the webserver does not have a timeout for the header stage of the request.    The Slow POST attack is similar, but slowly sending chunks of POST data rather than headers, relying on the webserver not timing out on those.


BIG-IP mitigated Slowloris by its normal behavior of buffering all the headers before forwarding a request to the backend servers.   A limit on the number and/or size of headers allows further refinement of this mitigation.    When mitigated, these attacks only generate at most an open connection on the backend with no request.     This same behavior mitigated the HTTP/2 Rapid Reset attack and now mitigates the HTTP/2 CONTINUATION attack.


As we can see from this, old attacks can become new ones when a new or significantly revised protocol comes along.   This is why when working on new features F5 performs Threat Modelling Assessments to categorize possible new variations of old attacks or completely new attacks that may apply to a new feature, protocol or service and build in protections against those attacks.


Display: none Strikes Again, Now in Email.

A recent post over at Lutra Security called Kobold Letters has resurfaced an old trick with CSS, but this time in email.  The basic TL;DR of this trick is using display: none attached to CSS in an email to hide text in the email until its forwarded or replied to.  Email clients often will convert an email to plain text or try to convert the HTML and CSS slightly.   This results in the ability to put blocks of text in divs or other selectable blocks that can be styled in CSS to hide them or otherwise change their display and appearance when they are forwarded or replied to.


I don't know if this really changes much in the spear-phishing risk area, at this point organizations should have considerable controls in places to make sure that fund transfers are only acted on with clear verified approval and that the destinations of fund transfers are vetted and verified, not copied from some email and sent without checking.    Fortunately in this case the vendors have been informed and they are working to provide solutions to this attack, so it may not be viable for very long.


Are Bluetooth Discovery Attacks Drying Up?

I don't have much to write here since I have not yet dove into the data that much, but the Bluetooth Discovery attacks that I talked about in December appear to not be as popular as they once were.  I used Wall-of-Flippers at a few conventions in March to collect Flipper and Bluetooth Discovery Spam data, but it appears that not a whole lot of spamming was happening.  Apple and Google Android have been working on mitigating these attacks, Apple having released several iOS updates to patch it.  The lack of impact these days may be driving this trend.     I do intend on bringing the Wall-of-Flippers to more events, and will be doing a bigger writeup on the device, the software and the data collected here on DevCentral in the coming month or two.



Updated Apr 22, 2024
Version 2.0

Was this article helpful?

No CommentsBe the first to comment