Sockstress: Difference between revisions
| Line 4: | Line 4: | ||
In a blog entry<ref>[http://blog.robertlee.name/2008/10/more-detailed-response-to-gordons-post.html Robert E. Lee's response to Fyodor]</ref> they said "We are not putting them [the vendors] under undue pressure to get poorly implemented rushed fixes out." |
In a blog entry<ref>[http://blog.robertlee.name/2008/10/more-detailed-response-to-gordons-post.html Robert E. Lee's response to Fyodor]</ref> they said "We are not putting them [the vendors] under undue pressure to get poorly implemented rushed fixes out." |
||
== |
==About Sockstress== |
||
Sockstress is a user-land TCP socket stress framework that can complete arbitrary numbers of open sockets without incurring the typical overhead of tracking state. Once the socket is established, it is capable of sending TCP attacks that target specific types of kernel and system resources such as Counters, Timers, and Memory Pools. Obviously, some of the attacks described here are considered "well known". However, the full effects of these attacks is less known. Further, there are more attacks yet to be discovered/documented. As researchers document ways of depleting specific resources, attack modules could be added into the sockstress framework. |
|||
The sockstress attack finds a way to compute a [[Syn cookie]] locally, and uses it to complete the [[Transmission_Control_Protocol#Connection_establishment|TCP 3 way handshake]] without needing to locally store connection information. This allows for the attacker to use no resources, while the server will exhaust its resources, leading to a [[Denial of service]] attack. |
|||
The sockstress attack tool consists of two main parts: |
|||
Plus, the following attack leads to TCP instabilities: |
|||
1) Fantaip: Fantaip is a "Phantom IP" program that performs ARP for IP addresses. To use fantaip, type 'fantaip -i interface CIDR', Ex., 'fantaip -i eth0 192.168.0.128/25'. This ARP/Layer 2 function could optionally be provided by other means depending on the requirements of the local network topology. Since sockstress completes TCP sockets in user-land, it is not advisable to use sockstress with an IP address configured for use by the kernel, as the kernel would then RST the sockets. |
|||
* zero window connection |
|||
* TCP small window |
|||
2) Sockstress: In it's most basic use, sockstress simply opens TCP sockets and sends a specified TCP stress test. It can optionally send an application specific TCP payload (ie. 'GET / HTTP/1.0' request). By default, post attack it ignores subsequent communications on the established socket. It can optionally ACK probes for active sockets. |
|||
* TCP Segment Hole |
|||
The attacks take advantage of the exposed resources the target makes available post handshake. |
|||
* TCP REQ FIN pause |
|||
* TCP activate reno pressure |
|||
Please note that the client side cookies, heavily discussed in blogs, news and discussion lists, is an implementation detail of sockstress, and not strictly necessary for carrying out these attacks. |
|||
==Effects of the Attacks== |
==Effects of the Attacks== |
||
Revision as of 02:18, 11 June 2011
Sockstress is a program that is used to attack servers on the Internet and other networks utilizing TCP, including Windows, Mac, Linux, BSD and any router or other internet appliance that accepts TCP / BGP connections.[1] The program does this by attempting to use up local resources in order to crash a service or the entire machine, essentially a denial of service attack.
Sockstress was developed as internal proof-of-concept by the late Jack C. Louis at Outpost24. Louis discovered anomalies using Unicornscan to test and probe networks for corporate security, which led to the development of Sockstress [2]. The concept was first demonstrated in September 2008[3][4][5]. The researchers had planned on releasing more details at the T2 conference in Finland where they perform demonstrated the attacks. They instead chose to continue to work closely with, and give more time to, the vendor and standards communities. In a blog entry[6] they said "We are not putting them [the vendors] under undue pressure to get poorly implemented rushed fixes out."
About Sockstress
Sockstress is a user-land TCP socket stress framework that can complete arbitrary numbers of open sockets without incurring the typical overhead of tracking state. Once the socket is established, it is capable of sending TCP attacks that target specific types of kernel and system resources such as Counters, Timers, and Memory Pools. Obviously, some of the attacks described here are considered "well known". However, the full effects of these attacks is less known. Further, there are more attacks yet to be discovered/documented. As researchers document ways of depleting specific resources, attack modules could be added into the sockstress framework.
The sockstress attack tool consists of two main parts: 1) Fantaip: Fantaip is a "Phantom IP" program that performs ARP for IP addresses. To use fantaip, type 'fantaip -i interface CIDR', Ex., 'fantaip -i eth0 192.168.0.128/25'. This ARP/Layer 2 function could optionally be provided by other means depending on the requirements of the local network topology. Since sockstress completes TCP sockets in user-land, it is not advisable to use sockstress with an IP address configured for use by the kernel, as the kernel would then RST the sockets.
2) Sockstress: In it's most basic use, sockstress simply opens TCP sockets and sends a specified TCP stress test. It can optionally send an application specific TCP payload (ie. 'GET / HTTP/1.0' request). By default, post attack it ignores subsequent communications on the established socket. It can optionally ACK probes for active sockets. The attacks take advantage of the exposed resources the target makes available post handshake.
Please note that the client side cookies, heavily discussed in blogs, news and discussion lists, is an implementation detail of sockstress, and not strictly necessary for carrying out these attacks.
Effects of the Attacks
Effects of the sockstress attacks are reported to include:
- A denial of service condition for a specific service. (AV:N/AC:M/Au:N/C:N/I:N/A:P)
- A denial of service condition for an entire system (AV:N/AC:M/Au:N/C:N/I:N/A:C)
- Systems that can't communicate TCP communication until reboot
- System lock ups
- System reboots
Exploitation Caveats
The attack requires a successful TCP 3 way handshake to effectively fill the victims connection tables. This limits the attack's effectiveness as an attacker cannot spoof the client IP address to avoid traceability.
A sockstress style exploit also needs access to raw sockets on the attacking machine because the packets must be handled in userspace rather than with the OS's connect() API. Raw sockets are disabled on Windows XP SP2 and above, but device drivers are readily available [7] to put this facility back into Windows. The exploit is able to be executed as-is on other platforms with raw sockets such as *nix and requires root (superuser) privileges.
Mitigation
According to the Cisco Response [8] the current mitigation advice is to only allow trusted sources to access TCP-based services. This mitigation is particularly important for critical infrastructure devices. Red Hat has stated that "Due to upstream's decision not to release updates, Red Hat do not plan to release updates to resolve these issues; however, the effects of these attacks can be reduced." On Linux using iptables with connection tracking and rate limiting can limit the impact of exploitation significantly. [9]
References
- ^ Security Now! podcast explaining Sockstress
- ^ Interview with Robert E. Lee and Jack C. Louis (First 8 minutes after English begins)
- ^ Carl Nordenfelt's blog post
- ^ Amelia Nilsson's blog post
- ^ Mikael (FireLynx) blog post
- ^ Robert E. Lee's response to Fyodor
- ^ [1]
- ^ Cisco Response
- ^ Does CVE-2008-4609 affect Red Hat Enterprise Linux?