SockStress

A serious TCP/IP Vulnerability known as “SockStress” has been found, exploited, and information released by a Security group called Outpost24. The SockStress TCP/IP Vulnerability has had wide implications for server and website owners.

This latest vulnerability not only has severe implications for many web masters, designers and programmers, but also affects routing servers and any system with TCP stack processes exposed to the outside world.

After the latest DNS poisoning vulnerability, webmasters seem on edge about how insecure the very foundations of the internet are (mainly due to being created before security was even thought of).

Sockstress is the name of the tool created by Outpost24, which they are still testing before releasing it. They have, however, walked through how the attack could be achieved in great detail. Some security experts have showed concern over how they handled the information released.

The sockstress attack seems to be limited to the TCP stack, but mixes several techniques to allow a very low-bandwidth hacker to deplete local resources (memory, swap file and even kernel file abuse). Just a few packets a second and a little amount of time are needed to take down a server. As little as nine packets and a few minutes are all that is suggested to be needed!

Lack of timing of the TCP/IP stack and, more specifically, kernel’s response seems to be the most deciding factor. A “Badly designed TCP stack” is referred to and after the 3-way handshake (syn cookie verification and acknowledgment) has completed, resources can be exploited!…
“The worst thing we ever had happen, was, we had Windows reboot and say ‘Operating system not found’”

In theory, a syn cookie validation process could be cycled. Sending for verification and acknowledgment, then a “no buffer space” response could be sent from the attackers end. This would force the target to allocate more resources to the attackers cycled process, with severe consequences.
Please bear in mind that this is not a syn packet attack attack! (the magic happens after the syn ack)

This can result in a denial of service (Dos) by TCP servers (www, ftp, tftp, smtp, pop, etc.) running on Windows, Linux, BSD, certain routing servers, and other Internet applications and protocols!

An excerpt from Outpost24’s website, claims:

Outpost24’s Senior Security Researcher, Jack C. Louis has discovered a generic issue that affects the availability of TCP services. This issue could be used to create a Denial of Service attack. Vendors have been notified. Details are not available to the public at this point, but will be disclosed at an appropriate future date.

You can read more about the Sock stress talks here:
T2 Schedule or T2’s 08 Conference.

I want to know if there is anyone who can write a program that performs the operation described in this audio podcast.
debeveiligingsupdate.nl/audio/bevupd_0003.mp3 (dead link)
Please note, that the English portion of the audio starts about 4 minutes into the segment.

Get A Freelancer has a project asking for the tools creation. How long until someone makes it public?

SockStress Podcast Downloads

You can listen to the security podcast in various formats. The Sockstress MP3 files are listed below:

The wonderful guys at GRC (proud Twit army addict myself) have have hosted the interview, just in case the original goes down.
Thanks Steve!
Entire Interview (No longer available)
44 min, 10 sec - 128 kbps - 41.1 MB
Entire Interview
44 min, 10 sec - 16 kbps - 5.3 MB
Trimmed Interview
38 min, 59 sec - 64 kbps - 18.7 MB
Trimmed Interview
38 min, 59 sec - 16 kbps - 4.7 MB

A full transcript is available from CurbRisk.com :
Outpost24’s TCP - Denial Of Service vulnerability interview transcript (No longer available) - See Sockstress - Wikipedia

At time of posting, there is currently no known work around or fix for this issue. The authors seem to be white hat and want to help vendors resolve the issues. But, like the rest of us, know the internet has a long way to go before being secure.

Sockstress has now also been entered into the NIST CVE database. The list of affected platforms is staggering!

It is widely accepted that “the community” prefers to find workarounds for the flawed foundations of the internet and associated protocols. But would it not be better if, knowing as much about security as we do now, the internet was written from the ground up?

Yes, it is impossible. But I think it would be the only way to make serious, major exploits like this and the recent DNS poisoning exploits avoidable.

Security
Share this Story:
  • facebook
  • twitter
  • gplus

About Adam Davies

General nerd that started playing with web development in 2001.
Before reporting exploits in websites I broke software protection.