Resource links for Security Now! Episode #164:
SockStress
My Great Talk with Jack & Robert
As soon as this weeks' Security Now! audio files were available, I wrote to Robert E. Lee to let him and Jack know about the content of the podcast. Since I felt that I had been quite harsh toward them over on the topic of their premature over-disclosure of this class of vulnerabilities, I wanted them to learn of my comments directly from me rather than from someone else.
Robert answered my eMail immediately, suggesting that we talk on the phone while in the meantime he and Jack listened to the podcast. After he and Jack had digested what I had said, they re-listened to their own interview since they felt that I had expanded tremendously (too much) upon what little they felt they had said. (Of course, my position was that they had already said way more than they should have.)
Although we immediately took our conversation “off the record”, I can share that they are very unhappy that their little interview has received as much attention as it has, appearing on Slashdot and continuing to pick up steam from there. Consequently, they are also not happy that it came to my attention and became this week's Security Now! topic. They just wanted their work to come to the attention of all of the correct, and none of the incorrect, people. Soon it will be known to everyone.
I like both Robert and Jack a lot, and I believe that they are good guys. I think that they probably underestimated the pool of talent and knowledge that's just sitting around waiting for another Internet protocol mystery to reverse-engineer and unravel now that Dan Kaminsky's DNS spoofing exploit is old news. We'll see what happens. Stay tuned.
As shown in
this blog posting, two Swedish security researchers at
Outpost24, Jack C. Louis and Robert E. Lee, were recently interviewed by
Brenno de Winter for the
De Beveiligingsupdate site about their proof-of-concept “SockStress” tool which evolved from their development and use of their open source
Unicorn Scan network scanning tool.
“SockStress” (not publicly released) reportedly uses several new techniques to create a low-bandwidth (as low as ten packets per second) local resource depletion attack resulting in denial of service (DoS) by TCP servers (www, ftp, smtp, pop, etc.) running Windows, Linux, BSD, undisclosed routers, and other Internet appliances.
Although the researchers plan to demonstrate their techniques on October 17th, at the end of the second day of the forthcoming
T2'08 conference in Helsinki, Finland, their 44 minute interview on September 30th, 2008 for the De Beveiligingsupdate site (see original and edited audio links below) provided
far too much detail — enough so that any informed packetsmith who understands the TCP protocol would be able to easily recreate their attacks.
As a consequence, they effectively “went public” with their discovery of these vulnerabilities after informing other vendors only a few weeks beforehand (see rough time line below).
- Outpost24's Press Release
Dated October 2nd, 2008, this is Outpost24's official web site press/news release.
- Robert E. Lee's Blog
Robert is keeping his blog current as events unfold. Therefore, this would be a useful place for keeping an eye on this developing saga.
- The description of their planned T2'08 conference presentation:
From the description:
“This talk will divulge new technical details about Outpost24s (Jack C. Louis) research into TCP state table manipulation vulnerabilities that affect availability. Specifically this talk will showcase new attacks that will render a remote system unavailable using a very low bandwidth attack stream. Attacks against Windows, BSD, Linux, and embedded systems TCP/IP stack implementations will be discussed and demonstrated. In-line devices that keep track of state for multiple systems (read firewalls) tend to feel the effects of the attack even more quickly.”
- On Slashdot
The morning of October 1st, 2008, Slashdot picked up on this from the "darkReading" blog (see next link).
- On darkReading — “New DOS Attack Is a Killer”
This blog posting, dated September 30th, states that:
“The two researchers have already contacted multiple vendors since the beginning of September (I've had a small hand in getting them in contact with one of the vendors). Robert and Jack are waiting with no specific time line to hear back from the affected TCP stack vendors.”
PLEASE NOTE that the “I” in the preceding quote is not me (Steve Gibson) it is the interviewer who wrote that quote.
. . . So Robert and Jack waited, what, four weeks (?!!) before, on September 30th, blabbing during the interview about what they had discovered . . . after which Slashdot picked up on it from the darkReading blog and the entire world started buzzing about it.
- Fyodor's 2-cents worth:
The ever snide Fyodor, of Nmap Security Scanner fame, chimes in with his take on what Robert and Jack have disclosed so far. Note that, in response to this, Robert has posted the following to his blog:
“In regards to Fyodor's article: There are some really valid points made; While his article does describe some of how SockStress works and why it is efficient, it does not describe our attacks. Jack would like to stress that turning off server side SYN-Cookie protection will not help and will only make you open to SYN flood attacks again (as stated in Fyodor's article). Also, scenarios that lead to systems being resource starved to the point of requiring a reboot is very attack and target specific. It is not as universal as causing a specific service to become unavailable. We have made this clear in all public communications, but it is worth saying again.”
- CERT-FI (CERT in Finland) now has a page:
CERT is the acronym for Computer Emergency Response Team. In their page's statement they indicate that “CERT-FI is co-ordinating the work regarding this vulnerability with relevant vendors and its discoverers. Work on determining the scope and impact of the vulnerability is currently ongoing, and will be followed a coordinated process of patching and publication.”
- Ars Technica's Joel Hruska offers a solid apraisal
This is the most sane and calm write-up I've seen. It neither understates nor overstates the probable situation.
- From: blog.nordenfelt.com on Sept 12, 2008:
Regarding a demo by Robert and Jack:
“They started out by talking a bit about the TCP/IP protocol. Basically the good old stuff you learned in school but a nice re-cap of what has been and what still is. After this introduction it was time for them to show their application Sockstress. Unfortunately they couldn't disclose any technical details about it but they ran two demos and it was quite amazing.
Exploiting a vulnerability they showed us how they brought down port 80 on a web server (or actually the presentation laptop) in a matter of seconds. A typical Denial of Service attack. The next demo was even better. The started playing music on the very same laptop and then started Sockstress. After about two minutes the music wouldn't play the way it was supposed to. It was slowed down, the CPU was at 100% etc. They then stopped sockstress but the machine never came back. It kept misbehaving even though the attack was over. What was really interesting was that both these attacks only sent 4 packages each second to the server machine. That's nothing and could be done on a 56k modem. Scary but cool”
- Quoting Robert E. Lee in this CNET News story:
[Robert E.] “Lee said he doesn't plan to have a big, public disclosure press conference like Dan Kaminsky did with the DNS flaw this past summer. "We plan to work with vendors to ensure they understand the issues fully and have adequate solutions in place before publicly sharing details on the issues. Since there are multiple issues, we may be able to share information on individual issues as they are individually addressed."
Asked whether someone else could figure this out before the patches are out, Lee said "even though I think Jack Louis is exceptionally brilliant, Outpost24 doesn't have a monopoly on bug-finding abilities. It is a matter of time before someone else independently figures it out." ”
- Output24's Sec-T presentation Powerpoint slides:
This is the submitted Microsoft Powerpoint slide presentation made by Robert and Jack during the September 11th, 2008 Sec-T security conference. It doesn't talk at all about their exploits. It introduces the topic of using Client-side SYN cookies (which are really ACK cookies, since they are used for stateless post-connection management).
The Audio of Their Interview
http://debeveiligingsupdate.nl/audio/bevupd_0003.mp3 (43.1 MB)
This is the original full audio of the interview. The English portion of the interview begins 5 minutes and 10 seconds into this audio file and continues for the balance of the file's 44 minutes and 11 seconds.
It is an overly large file because it was encoded in stereo, even though the audio content is monophonic. So we have re-encoded the entire original file in mono, reducing its size by half. Also, as shown below, we have trimmed the initial non-English portion and encoded the audio in various smaller formats:
Entire Interview | | 44 min, 10 sec, | | 64 kbps, | | 21.1 MB |
Entire Interview | | 44 min, 10 sec, | | 16 kbps, | | 5.3 MB |
Trimmed Interview | | 38 min, 59 sec, | | 64 kbps, | | 18.7 MB |
Trimmed Interview | | 38 min, 59 sec, | | 16 kbps, | | 4.7 MB |