This one's in my wheelhouse, but details are sketchy. So far the best simple article is New attacks reveal fundamental problems with TCP by Dennis Fisher. Nick Weaver's Slashdot comment provides the best technical explanation of one of the attack vectors, I think:
The observation: You can use a SYN-cookie like trick on the client side as well for an attacker:
You send SYNs where the initial seq # = H(sip, dip, sport, dport).
Now when you get a SYN/ACK back, you can send the ACK to complete the handshake. You can use the ACK field back from the server to know where you are in what data to send (just subtract the value from the initial sequence # to know what the next piece of data to send is), and you can know where you are in the received data (if necessary) by storing just the server's initial sequence #.
As a result, you can now interact with the server without having to maintain ANY TCP session state, or just a single word (the server's initial seq #), allowing the attacker to use vastly fewer resources to tie up server resources.
On one hand, this is a cool trick, and potentially useful for an attacker: if you have only a couple of machines and really want to tie up server resources, you can use this quite quickly.
But OTOH, attackers already have so many zombie resources that this really doesn't necessarily buy the attacker all that much: If you have 10K machines banging on a server, the 10K machines have a good 2000x more state than the servers. So who cares about stateholding requirements on the zombie side? Thus I think its only really relevant if you wanted to DOS google, akamai, or some similar very-high-resource infrastructure.
And as the attacker can't SPOOF packets with this (it needs to see the SYN/ACK), the zombies can be filtered if the DOS is detected and the attacker's identified as well. (emphasis added)
So that's pretty clever... clever like the original 1996 problem of SYN flooding, which exploited resource limitations on the server. Reference Mike Schiffman's original Phrack article for details and remember 12 years ago we worried about k1dd13z with dial-up modems DOSing NT 4 servers with 7 packets.
With regard to the latest, we should give some credit to BindView RAZOR's Naptha research from 2000, as noted by Jose Nazario. So-called Naptha attacks are any mechanism that forces the victim's TCP/IP stack to consume more resources than the intruder's, thereby eventually forcing the target to submit. Robert Graham's post implied one attack vector acted what sounded to me like a reverse LaBrea implementation. I would like to incorporate this "sockstress" tool into my next TCP/IP Weapons School class.
I guess we can stay tuned to Robert E. Lee's blog. (Funny that a researcher in Sweden is named after the commander of the Confederate Army.)
Anyone who thinks this is again the end of the world should please keep vulnerabilities in perspective. Also, this is about the best vulnerability we could request. If you're vulnerable, and you're attacked, you'll notice. Even the most rudimentary IT shop has availability monitoring in place. To quote Han Solo:
Bring them on! I prefer a straight fight to all this sneaking around.
I'd much rather deal with availability attacks than confidentiality or integrity attacks.
Rabu, 01 Oktober 2008
DoS Me Like It's 1996
17.28
No comments
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar