This is a blog task for CS658, Prof Ian Goldberg.
Story Begins:
"If you use the internet and you serve a TCP-based service that you value the availability for, and then this affects you," Robert E. Lee, chief security officer for Sweden-based Outpost24 said on October 1, 2008. Security experts Robert E. Lee and his college Jack Louis, a senior security researcher at Outpost24 believed that they have discovered a flaw in a core internet protocol known as transmission control protocol (TCP) that can be exploited to disrupt just about any device with a broadband connection, a finding that could have profound consequences for millions of people who depend on websites, mail servers, and network infrastructure. This discovery lead to a new type of DOS (denials of service) attack called “Self-trashing TCP exploit” according to [1]. The new class of attack is special and severe since the little cost in bandwidth (such as on a cable modem) and ability to paralyze devices even after the flood of malicious data has stopped. Last month, Lee and Louis began notifying some makers of operating systems, routers, firewalls, and other TCP-enabled wares with the help of the Computer Emergency Response Team in Finland.
Lee said he and Jack, in fact, discovered this bug in 2005, but decided to keep this secret and try to find a solution. If the disclosure of technical details is not at a proper time, tons of thousands network devices, not simply vulnerabilities in products from one or two vendors, but countless routers, PCs and other machines, which handle TCP connection requests from unknown, remote machines will be exploited in a few minutes. However, hope is hope. Till now there is no workarounds or fixes for the problems. Therefore they decided to go public in hopes that a new infusion of ideas will finally get the problem fixed.
However, they refuse to release technical details before their talk at the T2 security conference in Finland on October 17 (several days later). “The best advice I have right now is don’t allow anonymous connections. Utilize white list so only certain IP addresses can come in,” Lee said, acknowledging the impracticality of that for a Web server or mail server or virtually any other TCP-enabled device. There’s no real workaround right now.”
The Truth:
The problem may due to Web servers and other machines handle the three-way TCP handshake (Syn, Syn-Ack, Ack) at the beginning of a new connection, deducing from several interview records of Lee. It’s an occasion that Louis discovered the issue when doing large-scale penetration tests which required scanning tens of thousands of IP addresses. Thus, Louis wrote a tool called Unicornscan[7], which is a distributed TCP/IP stack that can be used for TCP scanning. It was while reviewing packet dumps from scans with the tool that Louis noticed some anomalies. "We noticed that certain systems would start resending certain packet responses continuously until they were rebooted," Lee said. "That was the light bulb going off”.
This nuclear weapon in the network sent shock waves to security circle as well. These two days, Outpost24 is being vague with details about the vulnerability to prevent giving attackers’ information that would enable them to carry out attacks. In addition, Articles have appeared on The Register (“DoS attack reveals (yet another) crack in net’s core”), Slashdot (“New Denial-of-Service Attack is a Killer”), Search Security (“TCP is fundamentally borked”), and many more publications. These people are tending to believe this great bug. On the other side, Fyodor, a well-known opponent, who is an expert of Nmap Security Scanner (“Network Mapper”) doubts about this finding and showed his manner to Robert and Jack as “put up or shut up!” What’s more, he described a similar attack method in his blog [6] and recognized that as “a variant or extension of a long-running problem of TCP protocol”.
Is this really a new discovery by Robert and Jack? What does this have to do with SYN cookies and SYN flooding? And how serious this new DoS attack will be? All the answers remain to be seen on Oct. 17.
Background:
The Transmission Control Protocol (TCP) [10] is one of the core protocols of the Internet Protocol Suite. TCP provides a communication service at an intermediate level between an application program and the Internet Protocol (IP). That is, when an application programmer desires to send a large chunk of data across the Internet using IP, instead of breaking the data into IP-sized pieces and issuing a series of IP requests, the programmer can issue a single request to TCP and let TCP handle the IP details. In particular, TCP provides reliable, ordered delivery of a stream of bytes from one program on one computer to another program on another computer. Besides the Web, other common applications of TCP include e-mail and file transfer. Among its management tasks, TCP controls message size, the rate at which messages are exchanged, and network traffic congestion.
To establish a connection, TCP uses a three-way handshake. Before a client attempts to connect with a server, the server must first bind to a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs:
-The active open is performed by the client sending a SYN to the server.
-In response, the server replies with a SYN-ACK.
-Finally the client sends an ACK back to the server.
![clip_image002[4]](http://www.raullen.net/wp-content/uploads/2008/10/clip-image0024-thumb.jpg "clip_image002[4]")
![clip_image004[4]](http://www.raullen.net/wp-content/uploads/2008/10/clip-image0044-thumb.jpg "clip_image004[4]")
This mechanism supports amazing feathers of this protocol but also introduce a vulnerability called SYN flood attack, a well-known kind of DOS. That is by using a spoofed IP address and repeatedly sending purposely assembled SYN packets attackers can cause the server to consume large amounts of resources keeping track of the bogus connections. Proposed solutions to this problem include SYN cookies and Cryptographic puzzles.
Reference:
1. DoS attack reveals (yet another) crack in net’s core, http://www.theregister.co.uk/2008/10/01/fundamental_net_vuln/
2. New DOS Attack Is a Killer, http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939&WT.svl=tease2_2
3. New Denial-of-Service Attack Is a Killer, http://it.slashdot.org/article.pl?sid=08/10/01/0127245
4. TCP is fundamentally borked, http://searchsecurity.techtarget.com.au/articles/27154-TCP-is-fundamentally-borked
5. Robert E. Lee’s Blog, http://blog.robertlee.name/
6. Explaining the “New” TCP Resource Exhaustion Denial of Service (DoS) Attack by Fyodor, http://insecure.org/stf/tcp-dos-attack-explained.html
7. Unicornscan Project, http://www.unicornscan.org/
8. A Podcast interview with Brenno de Winter, http://insecure.org/stf/tcpdos/trimmed-bygrc-sockstress.mp3
9. TCP flaws puts Web sites at risk, http://news.cnet.com/8301-1009_3-10056759-83.html?tag=mncol
10. TCP, http://en.wikipedia.org/wiki/TCP
![clip_image002[4]](http://www.raullen.net/wp-content/uploads/2008/10/clip-image0024.jpg "clip_image002[4]")
![clip_image004[4]](http://www.raullen.net/wp-content/uploads/2008/10/clip-image0044.jpg "clip_image004[4]")