100 lines
5.0 KiB
Plaintext
100 lines
5.0 KiB
Plaintext
.oO Phrack Magazine Oo.
|
|
|
|
Volume Seven, Issue Forty-Nine
|
|
|
|
File 2 of 16
|
|
|
|
Phrack Loopback
|
|
|
|
-----------------------------------------------------------------------------
|
|
[The Netly News]
|
|
|
|
September 30, 1996
|
|
|
|
Today, Berkeley Software Design, Inc. is expected to publicly release
|
|
a near-perfect solution to the "Denial of Service," or SYN flooding attacks,
|
|
that have been plaguing the Net for the past three weeks. The fix, dubbed
|
|
the SYN cache, does not replace the need for router filtering, but it is
|
|
an easy-to-implement prophylaxis for most attacks.
|
|
|
|
"It may even be overkill," says Alexis Rosen, the owner of Public
|
|
Access Networks. The attack on his service two weeks ago first catapulted
|
|
the hack into public consciousness.
|
|
|
|
The SYN attack, originally published by Daemon9 in Phrack, has
|
|
affected at least three service providers since it was published last month.
|
|
The attack floods an ISP's server with bogus, randomly generated connection
|
|
requests. Unable to bear the pressure, servers grind to a halt.
|
|
|
|
The new code, which should take just 30 minutes for a service provider
|
|
to install, would keep the bogus addresses out of the main queue by saving two
|
|
key pieces of information in a separate area of the machine, implementing
|
|
communication only when the connection has been verified. Rosen, a master of
|
|
techno metaphor, compares it to a customs check. When you seek entrance to a
|
|
server, you are asked for two small pieces of identification. The server then
|
|
sends a communique back to your machine and establishes that you are a real
|
|
person. Once your identity is established, the server grabs the two missing
|
|
pieces of identification and puts you into the queue for a connection. If
|
|
valid identification is not established, you never reach the queue and the
|
|
two small pieces of identification are flushed from the system.
|
|
|
|
The entire process takes microseconds to complete and uses just a few
|
|
bytes of memory. "Right now one of these guys could be on the end of a 300-baud
|
|
modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these
|
|
fixes, they just won't matter." still, Urner stresses that the solution does
|
|
not reduce the need for service providers to filter IP addresses at the router.
|
|
|
|
Indeed, if an attacker were using a T1 to send thousands of requests per
|
|
second, even the BSDI solution would be taxed. For that reason, the developers
|
|
put in an added layer of protection to their code that would randomly drop
|
|
connections during an overload. That way at least some valid users would
|
|
be able to get through, albeit slowly.
|
|
|
|
There have been a number of proposed solutions based on the random-drop
|
|
theory. Even Daemon9 came up with a solution that looks for any common
|
|
characteristics in the attack and learns to drop that set of addresses. For
|
|
example, most SYN attacks have a tempo -- packets are often sent in
|
|
five-millisecond intervals -- When a server senses flooding it looks for these
|
|
common characteristics and decides to drop that set of requests. Some valid
|
|
users would be dropped in the process, but the server would have effectively
|
|
saved itself from a total lockup.
|
|
|
|
Phrack editor Daemon9 defends his act of publishing the code for the
|
|
attack as a necessary evil. "If I just put out a white paper, no one is
|
|
going to look at this, no one is going to fix this hole," he told The
|
|
Netly News. "You have to break some eggs, I guess.
|
|
|
|
To his credit, Daemon9 actually included measures in his code that made
|
|
it difficult for any anklebiting hacker to run. Essential bits of information
|
|
required to enable the SYN attack code could be learned only from reading
|
|
the entire whitepaper he wrote describing the attack. Also, anyone wanting to
|
|
run the hack would have to set up a server in order to generate the IP
|
|
addresses. "My line of thinking is that if you know how to set a Linux up
|
|
and you're enough in computers, you'll have enough respect not to do this,"
|
|
Daemon9 says. He adds, "I did not foresee such a large response to this."
|
|
|
|
Daemon9 also warns that there are other, similar protocols that can be
|
|
abused and that until there is a new generation of TCP/IP the Net will be open
|
|
to abuse. He explained a devastating attack similar to SYN called ICMP Echo
|
|
Flood. The attack sends "ping" requests to a remote machine hundreds of times
|
|
per second until the machine is flooded.
|
|
|
|
"Don't get me wrong," says Daemon9. "I love the Net. It's my bread and
|
|
butter, my backyard. But now there are too many people on it with no concern
|
|
for security. The CIA and DOJ attacks were waiting to happen. These holes were
|
|
pathetically well-known."
|
|
|
|
--By Noah Robischon
|
|
|
|
[ Hmm. I thought quotation marks were indicative of verbatim quotes. Not
|
|
in this case... It's funny. You talk to these guys for hours, you *think*
|
|
you've pounded the subject matter into their brains well enough for them to
|
|
*at least* quote you properly... -d9 ]
|
|
|
|
[ Ok. Loopback was weak this time. We had no mail. We need mail. Send us
|
|
mail! ]
|
|
|
|
|
|
----<>----
|
|
|