Home > Research > Publications & Outputs > In the Compression Hornet's Nest:

Research

Associated organisational units

Links

View graph of relations

In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services

Research output: Contribution to conference - Without ISBN/ISSN Conference paperpeer-review

Published

Standard

In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services. / Pellegrino, Giancarlo; Balzarotti, Davide; Winter, Stefan et al.
2015. Paper presented at 24th USENIX Security Symposium, Austin, Texas, United States.

Research output: Contribution to conference - Without ISBN/ISSN Conference paperpeer-review

Harvard

Pellegrino, G, Balzarotti, D, Winter, S & Suri, N 2015, 'In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services', Paper presented at 24th USENIX Security Symposium, Austin, United States, 10/08/12 - 12/08/12. <https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/pellegrino>

APA

Pellegrino, G., Balzarotti, D., Winter, S., & Suri, N. (2015). In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services. Paper presented at 24th USENIX Security Symposium, Austin, Texas, United States. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/pellegrino

Vancouver

Pellegrino G, Balzarotti D, Winter S, Suri N. In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services. 2015. Paper presented at 24th USENIX Security Symposium, Austin, Texas, United States.

Author

Pellegrino, Giancarlo ; Balzarotti, Davide ; Winter, Stefan et al. / In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services. Paper presented at 24th USENIX Security Symposium, Austin, Texas, United States.16 p.

Bibtex

@conference{06ab0fded3cb48e3a6dd121bd41b37ce,
title = "In the Compression Hornet's Nest:: A Security Study of Data Compression in Network Services",
abstract = "In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and configuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.",
author = "Giancarlo Pellegrino and Davide Balzarotti and Stefan Winter and Neeraj Suri",
year = "2015",
language = "English",
note = "24th USENIX Security Symposium, USENIX Security '15 ; Conference date: 10-08-2012 Through 12-08-2012",
url = "https://www.usenix.org/conference/usenixsecurity15",

}

RIS

TY - CONF

T1 - In the Compression Hornet's Nest:

T2 - 24th USENIX Security Symposium

AU - Pellegrino, Giancarlo

AU - Balzarotti, Davide

AU - Winter, Stefan

AU - Suri, Neeraj

PY - 2015

Y1 - 2015

N2 - In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and configuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.

AB - In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and configuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.

M3 - Conference paper

Y2 - 10 August 2012 through 12 August 2012

ER -