Jump to content

Sockstress

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 66.214.93.220 (talk) at 02:24, 11 June 2011. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Sockstress is a program that is used to attack servers on the Internet and other networks utilizing TCP, including Windows, Mac, Linux, BSD and any router or other internet appliance that accepts TCP / BGP connections.[1] The program does this by attempting to use up local resources in order to crash a service or the entire machine, essentially a denial of service attack.

Sockstress was developed as internal proof-of-concept by the late Jack C. Louis at Outpost24. Louis discovered anomalies using Unicornscan to test and probe networks for corporate security, which led to the development of Sockstress [2]. The concept was first demonstrated in September 2008[3][4][5]. The researchers had planned on releasing more details at the T2 conference in Finland where they perform demonstrated the attacks. They instead chose to continue to work closely with, and give more time to, the vendor and standards communities. In a blog entry[6] they said "We are not putting them [the vendors] under undue pressure to get poorly implemented rushed fixes out."

About Sockstress

Sockstress is a user-land TCP socket stress framework that can complete arbitrary numbers of open sockets without incurring the typical overhead of tracking state. Once the socket is established, it is capable of sending TCP attacks that target specific types of kernel and system resources such as Counters, Timers, and Memory Pools. Obviously, some of the attacks described here are considered "well known". However, the full effects of these attacks is less known. Further, there are more attacks yet to be discovered/documented. As researchers document ways of depleting specific resources, attack modules could be added into the sockstress framework.

The sockstress attack tool consists of two main parts:

1) Fantaip: Fantaip is a "Phantom IP" program that performs ARP for IP addresses. To use fantaip, type 'fantaip -i interface CIDR', Ex., 'fantaip -i eth0 192.168.0.128/25'. This ARP/Layer 2 function could optionally be provided by other means depending on the requirements of the local network topology. Since sockstress completes TCP sockets in user-land, it is not advisable to use sockstress with an IP address configured for use by the kernel, as the kernel would then RST the sockets.

2) Sockstress: In it's most basic use, sockstress simply opens TCP sockets and sends a specified TCP stress test. It can optionally send an application specific TCP payload (ie. 'GET / HTTP/1.0' request). By default, post attack it ignores subsequent communications on the established socket. It can optionally ACK probes for active sockets. The attacks take advantage of the exposed resources the target makes available post handshake.

Please note that the client side cookies, heavily discussed in blogs, news and discussion lists, is an implementation detail of sockstress, and not strictly necessary for carrying out these attacks.

The attack scenarios

Every attack in the sockstress framework had some impact on the system/service it is attacking. However, some attacks are more effective than others against a specific system/service combination.

connection flood stress

Sockstress does not have a special attack module for performing a simple connection flood attack, but any of the attack modules can be used as such if the -c-1 (max connections unlimited) and -m-1 (max syn unlimited) options are used. This would approximate the naptha attack by performing a connection flood, exhausting all available TCB's as described in the CPNI document in section 3.1.1

Example commands:

  1. fantaip -i eth0 192.168.1.128/25 -vvv
  2. sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 -s192.168.1.128/25 -vv

Effects of the Attacks

Effects of the sockstress attacks are reported to include:

  • A denial of service condition for a specific service. (AV:N/AC:M/Au:N/C:N/I:N/A:P)
  • A denial of service condition for an entire system (AV:N/AC:M/Au:N/C:N/I:N/A:C)
  • Systems that can't communicate TCP communication until reboot
  • System lock ups
  • System reboots

Exploitation Caveats

The attack requires a successful TCP 3 way handshake to effectively fill the victims connection tables. This limits the attack's effectiveness as an attacker cannot spoof the client IP address to avoid traceability.

A sockstress style exploit also needs access to raw sockets on the attacking machine because the packets must be handled in userspace rather than with the OS's connect() API. Raw sockets are disabled on Windows XP SP2 and above, but device drivers are readily available [7] to put this facility back into Windows. The exploit is able to be executed as-is on other platforms with raw sockets such as *nix and requires root (superuser) privileges.

Mitigation

According to the Cisco Response [8] the current mitigation advice is to only allow trusted sources to access TCP-based services. This mitigation is particularly important for critical infrastructure devices. Red Hat has stated that "Due to upstream's decision not to release updates, Red Hat do not plan to release updates to resolve these issues; however, the effects of these attacks can be reduced." On Linux using iptables with connection tracking and rate limiting can limit the impact of exploitation significantly. [9]

References