Why did Scott Guthrie suggest us to use a random, small sleep delay in a Error.aspx?

Question

I cannot figure out, how can a random, small sleep delay can be a solution to prevent an attacker from probing our site.

This is his code snippet:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
void Page_Load() {
  byte[] delay = new byte[1];
  RandomNumberGenerator prng = new RNGCryptoServiceProvider();

  prng.GetBytes(delay);
  Thread.Sleep((int)delay[0]);

  IDisposable disposable = prng as IDisposable;
  if (disposable != null) { disposable.Dispose(); }
}
</script>

<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
    An error occurred while processing your request.
</div>
</body>
</html>

Answer 1

This is to prevent people constantly triggering your error page and exploiting the recent ASP.NET vulnerability. They need a large number of failures to take advantage of this exploit.

The sleep delay will not 'prevent' access to your page. Think of it as being analogous to brute forcing a password; if you have to wait 5 seconds between guesses instead of 5ms, you will take a little more time to find the pw.

Answer 2

In simple terms the vunerability is about guessing a really long password. (which is the key used to encrypt your session state, amongst other things?)

Imagine you wrote a routine to check a password:

   bool checkPassword(string userInput)
   {
      for(int index = 0; index < password.length; index++)
      {
        if(userInput[index] != password[index]) {
             return false;
        }
      }

      return true;
   }

This would allow a timing attack on the password algorithm, because you can check a character a time, because it takes longer the more correct your password is. ie. Imagine the password is 'carrots'

calling checkPassword('ca') will take longer than checkPassword('aa'), so you can iterate through the character at a time.

Because somewhere in the asp.net stack there is a bad implementation like this, adding a random sleep helps throw out the timing attack... (but it is not perfect I imagine)

For more information see:

http://en.wikipedia.org/wiki/Timing_attack

Answer 3

Does the patch solve the problem, or do we need to install the patch and use this trick?