Home > Research > Publications & Outputs > In the Compression Hornet's Nest:

Associated organisational unit

View graph of relations

In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services

Research output: Contribution to conference - Without ISBN/ISSN Conference paper

Published
  • Giancarlo Pellegrino
  • Davide Balzarotti
  • Stefan Winter
  • Neeraj Suri
Close
Publication date2015
Number of pages16
Original languageEnglish
Event24th USENIX Security Symposium - Austin, United States
Duration: 10/08/201212/08/2012
https://www.usenix.org/conference/usenixsecurity15

Conference

Conference24th USENIX Security Symposium
Abbreviated titleUSENIX Security '15
CountryUnited States
CityAustin
Period10/08/1212/08/12
Internet address

Abstract

In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and configuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.