Recent TCP vulnerability reports scare the masses, is it time to panic?

by Steve Ragan - Oct 3 2008, 16:10

Jack C. Louis and Robert Lee, researchers for Swedish company Outpost24, have recently opened a can of worms with their disclosure of a vulnerability centered on tests using what they call Sockstress. The vulnerability can trigger a denial-of-service on any system that uses TCP and listens for remote connection.

The can of worms that the two researchers opened is similar to what Dan Kaminsky experienced when he alerted the world about DNS Flaws. Louis and Lee have discovered a new twist on established methods of attacking TCP to trigger a denial of service attack.

However, they are giving out just enough information to fuel a massive media circus, as reporters love doom-like stories. Some of the quotes from the two researchers published in press reports seem to make this new bug out as something that signals the end of the Internet, much like the DNS flaw was made out to be.

“While I know and respect these researchers, I've had enough of the recent spate of people announcing (supposedly) massive security vulnerabilities, then refusing to back up their claims with details until a talk weeks or months away. Obviously Dan Kaminsky ignited this recent trend with his DNS flaw,” wrote Gordon “Fyodor” Lyon, creator of the Nmap security tool, and TCP security expert.

“While many of the researchers are earnest and call this “responsible disclosure”, it often reeks like a PR campaign. When you tell the press that you've discovered a core Internet protocol flaw so severe that you can't even provide any details for fear that the entire network could come crashing down, they just eat that up and it devolves into a media circus.”

Fyodor went on to explain that, based on the information Lee and Louis have told the public, the TCP vulnerability they describe is similar to something he discovered in 2002.

They have described their attack, which will be presented in full October 17 at the T2 Conference in Helsinki, as a fundamental issue in the way Web servers and other systems deal with three-way TCP handshakes at the start of a new connection.

The flaw allows the attacker to use a low-bandwidth connection to exhaust the resources of the system to the point that it locks up and needs a reboot. During an attack, so many TCP connections are made and maintained by the system, that once all the available connections are used, the system is hosed; in short, a TCP connection that will never be closed.

“They describe one mechanism. A TCP stack tries to figure out the maximum speed of your connection, in order to slow down data transmission so that packets won't be dropped. One technique they describe is to behave as if their connection were getting slower and slower to the point that the TCP stack is tricked into believing it will take years to complete the transmission of data. This forces the TCP stack to keep trying for years to send just a few bytes,” said Errata Security’s Robert Graham.

The issue was discovered, according to Robert Lee, after “performing a large scale test trying to complete a 3-way handshake with, and pull down the website content from millions of hosts, certain systems became overly responsive. They kept sending responses to us over and over again until those systems were rebooted.”

To test the issues they discovered, they developed a framework called Sockstress. Sockstress computes and stores SYN cookies (client side only) and allowed Lee and Louis to name the destination port IP address, completing a TCP handshake without storing values.

According to some of their testing, the Sockstress framework caused denial-of-service by sucking dry various resources on the server. The attacks bleed dry things like memory, kernel timers, and various applications.

“Jack would like to stress that turning off server side SYN-Cookie protection will not help and will only make you open to syn flood attacks again…Also, scenarios that lead to systems being resource starved to the point of requiring a reboot is very attack and target specific. It is not as universal as causing a specific service to become unavailable,” Lee wrote recently.

Fyodor said that what Robert and Jack have reported thus far is nothing new.

“Perhaps Robert and Jack hadn't seen previous references to this attack, but it is not new. I didn't invent it either. In fact, it is somewhat straightforward for people with a strong background in TCP/IP networking. A thorough description of this exact attack, with proof-of-concept source code, was posted to Bugtraq by Stanislav Shalunov in April 2000. What Robert and Jack have done is bring increased attention to this serious and long-running problem. While I don't consider it a serious threat to the Internet as a whole, I do consider it an important issue which should be fixed.”

Robert Lee responded to Fyodor’s comments explaining them as, “There are some really valid points made; While his article does describe some of how Sockstress works and why it is efficient, it does not describe our attacks…Also, scenarios that lead to systems being resource starved to the point of requiring a reboot is very attack and target specific. It is not as universal as causing a specific service to become unavailable. We have made this clear in all public communications, but it is worth saying again.”

Much like the Dan Kaminsky discovery, there is little you can do to mitigate this problem. This is because, while the gist of the issue is public, the exact details are being slowly leaked out, and there is too much speculation about the issue. Several suggestions of mitigation, including removing server-side SYN cookies or blocking anonymous connections, have been proposed.

However, until Lee and Louis explain their testing, the Sockstress tool, and other points, we will have to sit and wait.

Information about their talk is here.

Around the Web