SockStress – TCP/IP Vulnerability
SockStress – TCP/IP Vulnerability
Oct 09A serious TCP/IP Vulnerability known as “SockStress” has been found, exploited, and information released by a Security group called Outpost24.
This latest vulnerability not only has severe implications for many web masters, designers and programmers, but also affects routing servers and any system with TCP stack processes exposed to the outside world.
After the latest DNS poisoning vulnerability, webmasters seem on edge about how insecure the very foundations of the internet are (mainly due to being created before security was even thought of).
Sockstress is the name of the tool created by Outpost24, which they are still testing before releasing it. They have, however, walked through how the attack could be achieved in great detail. Some security experts have showed concern over how they handled the information released.
The sockstress attack seems to be limited to the TCP stack, but mixes several techniques to allow a very low-bandwidth hacker to deplete local resources (memory, swap file and even kernel file abuse). Just a few packets a second and a little amount of time are needed to take down a server. As little as nine packets and a few minutes are all that is suggested to be needed!
Lack of timing of the TCP/IP stack and, more specifically, kernel’s response seems to be the most deciding factor. A “Badly designed TCP stack” is referred to and after the 3-way handshake (syn cookie verification and acknowledgment) has completed, resources can be exploited!…
“The worst thing we ever had happen, was, we had Windows reboot and say ‘Operating system not found’”
In theory, a syn cookie validation process could be cycled. Sending for verification and acknowledgment, then a “no buffer space” response could be sent from the attackers end. This would force the target to allocate more resources to the attackers cycled process, with severe consequences.
Please bear in mind that this is not a syn packet attack attack! (the magic happens after the syn ack)
This can result in a denial of service (Dos) by TCP servers (www, ftp, tftp, smtp, pop, etc.) running on Windows, Linux, BSD, certain routing servers, and other Internet applications and protocols!
An excerpt from Outpost24′s website, claims:
Outpost24′s Senior Security Researcher, Jack C. Louis has discovered a generic issue that affects the availability of TCP services. This issue could be used to create a Denial of Service attack. Vendors have been notified. Details are not available to the public at this point, but will be disclosed at an appropriate future date.
Jack C. Louis, along with Outpost24′s Chief Security Officer Robert E. Lee, will be speaking at the T2 conference in Helsinki, Finland on October 16 – 17.
You can read more about the Sock stress talks here:
T2 Schedule or T2′s 08 Conference.
I want to know if there is anyone who can write a program that performs the operation described in this audio podcast.
http://debeveiligingsupdate.nl/audio/bevupd_0003.mp3
Please note, that the English portion of the audio starts about 4 minutes into the segment.
This program must be testable prior to paying for it.
Get A Freelancer has a project asking for the tools creation. How long until someone makes it public?
Podcast Downloads
You can listen to the security podcast in various formats. The Sockstress MP3 files are listed below:
The wonderful guys at GRC (proud Twit army addict myself) have have hosted the interview, just in case the original goes down.
Thanks Steve!
Entire Interview
44 min, 10 sec – 128 kbps – 41.1 MB
Entire Interview
44 min, 10 sec – 16 kbps – 5.3 MB
Trimmed Interview
38 min, 59 sec – 64 kbps – 18.7 MB
Trimmed Interview
38 min, 59 sec – 16 kbps – 4.7 MB
A full transcript is available from CurbRisk.com :
Outpost24′s TCP – Denial Of Service vulnerability interview transcript
At time of posting, there is currently no known work around or fix for this issue. The authors seem to be white hat and want to help vendors resolve the issues. But, like the rest of us, know the internet has a long way to go before being secure.
Sockstress has now also been entered into the NIST CVE database. The list of affected platforms is staggering!
It is widely accepted that “the community” prefers to find workarounds for the flawed foundations of the internet and associated protocols. But would it not be better if, knowing as much about security as we do now, the internet was written from the ground up?
Yes, it is impossible. But I think it would be the only way to make serious, major exploits like this and the recent DNS poisoning exploits avoidable.
Great post, Scary news for anyone hosting a server.
It’s a little more serious than most people think, as it affects any computer with the TCP stack reachable from the outside world…..
This includes services with a router or any open ports to the outside world! (routers having BGP open for routing tables!)
All versions of the stack are vulnerable to some degree using slightly different methods. But, according to the Outpost24 team, they are all vulnerable.
Even load-balanced servers have been used as targets by the team. The servers farms behind these servers could, in theory, be flooded.
This attack is very similar to the 1st ever Dos attack (syn flood). But this attack starts after the TCP connection has been established and syn cookie is sent and acknowledged.