Sockstress: An Internet Vulnerability That May Create the Date the Net Stood Still?
Jack Louis and Robert Lee, from Outpost24 (http://www.outpost24.com/), are scheduled to give a talk at the T2'08 Information Security Conference in Finland later this month giving details on a new, and dangerous, denial of service attack that uses TCP state table manipulation. The attack is unique in that it is cross platform and requires very little bandwidth to be executed.[1] This attack also has a prolonged impact on the hardware that lasts beyond the denial of service. As a blogger from a recent talk from Louis and Lee wrote, "After this introduction it was time for them to show their application Sockstress. Unfortunately they couldn’t disclose any technical details about it but they ran two demos and it was quite amazing.Exploiting a vulnerability they showed us how they brought down port 80 on a web server (or actually the presentation laptop) in a matter of seconds. A typical Denial of Service attack. The next demo was even better. The started playing music on the very same laptop and then started Sockstress. After about two minutes the music wouldn’t play the way it was supposed to. It was slowed down, the CPU was at 100% etc. They then stopped sockstress but the machine never came back. It kept misbehaving even though the attack was over. What was really interesting was that both these attacks only sent 4 packages each second to the server machine. That’s nothing and could be done on a 56k modem. Scary but cool." Louis and Lee have contacted vendors regarding the various bugs they have found which allow for this exploit but aren't releasing technical details at this time due to the fact that there are currently no short-term fixes.[3] Concern has been expressed in the security community that just the simple talks given thus far may be enough of a recipe for a low-level hacker to easily replicate the attack.
Jack Louis and Robert Lee, from Outpost24 (http://www.outpost24.com/), are scheduled to give a talk at the T2'08 Information Security Conference in Finland later this month giving details on a new, and dangerous, denial of service attack that uses TCP state table manipulation. The attack is unique in that it is cross platform and requires very little bandwidth to be executed.[1] This attack also has a prolonged impact on the hardware that lasts beyond the denial of service. As a blogger from a recent talk from Louis and Lee wrote, "After this introduction it was time for them to show their application Sockstress. Unfortunately they couldn’t disclose any technical details about it but they ran two demos and it was quite amazing.Exploiting a vulnerability they showed us how they brought down port 80 on a web server (or actually the presentation laptop) in a matter of seconds. A typical Denial of Service attack. The next demo was even better. The started playing music on the very same laptop and then started Sockstress. After about two minutes the music wouldn’t play the way it was supposed to. It was slowed down, the CPU was at 100% etc. They then stopped sockstress but the machine never came back. It kept misbehaving even though the attack was over. What was really interesting was that both these attacks only sent 4 packages each second to the server machine. That’s nothing and could be done on a 56k modem. Scary but cool." Louis and Lee have contacted vendors regarding the various bugs they have found which allow for this exploit but aren't releasing technical details at this time due to the fact that there are currently no short-term fixes.[3] Concern has been expressed in the security community that just the simple talks given thus far may be enough of a recipe for a low-level hacker to easily replicate the attack.
[1]"Jack C. Louis and Robert E. Lee to talk about New DoS Attack Vectors", T2'08 Conference, August 27, 2008, Jack C. Louis and Robert E. Lee to talk about New DoS Attack Vectors
[2]"Sec-T, Day 1", Norden Felt, September 12, 2008, http://blog.nordenfelt.com
[3]"Snake Bytes: New DOS Attack is a Killer", RSnake, darkREADING, September 30, 2008, http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939&WT.svl=tease2_2
Comments
Vendors work on patch for socketstress vulnerability
http://slashdot.org/firehose.pl?op=view&id=1228819
"Internet infrastructure vendors are working on patches for a set of security flaws that could help hackers knock servers offline with very little effort. The security community has been buzzing about the bugs since Tuesday, when security researcher Robert Hansen discussed the problem on his blog.http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939&WT.svl=tease2_2 Technical details on the vulnerabilities have not been released, but the security experts who discovered the problem, Robert Lee and Jack Louis of security vendor Outpost24, say that they can knock Windows, Linux, embedded systems and even firewalls offline with what's known as a denial of service attack. The flaws lie in the TCP/IP software used by these systems to send data over the Internet."
http://www.networkworld.com/news/2008/100308-vendors-fixing-bug-that-could.html?hpg1=bnhttp://images.slashdot.org/block-title-bg.png); background-repeat: repeat-x; background-attachment: initial; -webkit-background-clip: initial; -webkit-background-origin: initial; background-color: rgb(102, 102, 102); margin-top: 1em; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; background-position: initial initial; ">
Jerry Sheehan Manager for Government Program Development @ Calit2/UCSD phone: 858.336.2622 yahoo: calit2s skype: zenchaos twitter: www.twitter.com/zenchaos