Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Sockstress
Posted by: holiman
Date: March 29, 2009 02:48PM

I have some questions about the late Jack C Louis and Robert E Lee's sockstress. I saw their presentation at SEC-T in Stockholm in september, but they were adamant to explictily give out details on what it was. I have then read some more about it afterwards (for example at http://www.grc.com/securitynow.htm#164 and http://www.grc.com/sn/notes-164.htm ).

So, the attack itself seems to be to consist of two parts, the second part being the most serious.

Recap : Ages ago, syn-flooding was invented. Single computers could overwhelm big servers by initiating connections seemingly from a lot of ip-addresses, that were all bogus. The server was DoS:ed.

Enter syn-cookies : the server added a cookie in the response packet (SYN/ACK) and waited for the third step in the handshake to complete. No resources were consumed. When the last ACK packet came back with correct cookie, resources are allocated and the connection is complete. So, all the spoofed packages were not able to bring down the server anymore.

Enter client-side cookies, which Jack and Robert talked about in their presentation : The client also puts a cookie in the packet. The client can now maintain a tcp-connection without allocating any resources for it, enabling it to handle 65k connections.

So, that is the first part, as I understand it. Am i halfway correct ? Now, some questions :
1. That client-side cookie thing - is that something new, or something that they came up with ?
2. Those client-side cookies still does not give the game away to the "bad guys", since the connections cannot be spoofed : attacks are therefore easily blocked by remote server on source ip. All it does is enable a connecting client to create more connections, right ? And one scenario where that would be great for a DoS:er is if he uses a botnet (1000 weak clients) to attack a multitude of targets (1000 hosts) and distributes the connections so each host connects say 60 connections to each host. That would be very hard to block.

So, part two : They perform "stressing" operations on the remote tcp stack. One such attack would be to use tarpitting approach, which uses window size of 0 to consume server resources (= timers). Other such attacks have been hinted at, but as far as I understand it, they have not been publicly revealed, is that correct?

So, does anyone know anything about this ? I think it is really awesome to find new attackvectors on technology that is decades old. Jack Louis surely was a great mind.

Options: ReplyQuote
Re: Sockstress
Posted by: holiman
Date: April 09, 2009 01:05PM

I mailed my questions (same as above, more or less) to Robert. Here's the bulk of it, my questions and his replies:
-----------------------
> > Enter client-side cookies, which you guys talked about in your
> > presentation: The client also puts a cookie in the packet. This makes
> > the client stateless; the client can now maintain a tcp-connection
> > without allocating any resources for it, enabling it to handle 65k
> > connections (theoretically).

65k connections per client-ip-target:port being attacked.

To be clear, the client-side cookies was just an interesting implementation
decision that was chosen to lighten the load on the client system as we open
a large number of sockets. Strictly speaking, the whole syn-cookie
discussion is not related to the vulnerabilities being exploited by
sockstress.

> > 1. That client-side cookie thing - is that an old concept, or something
> > that you guys came up with yourselves?

Old concept, though jacks implementation was an improvement on what we have
observed others do.

> > 2. Those client-side cookies still does not give the game away to the
> > "bad guys", since the connections cannot be spoofed : attacks are
> > therefore easily blocked by remote server on source ip. All it does is
> > enable a connecting client to create more connections, right ?

Sort of. Jack wrote other pieces that allow us to use entire ranges of IP
addresses. Some of these attacks require more than 65k open sockets, making
multiple client IP addresses required, or multiple services on the target.
If the attacker has multiple ranges of client-ip's to spread the attack
across, it is not a simple matter to block a single IP.

Further, the attacks resemble valid traffic, so auto-blocking based on the
attack fingerprint alone could cause valid clients to be blocked. Even
blocking based on concurrent connections could cause valid clients to be
blocked if the attacker has a sufficient client-ip pool to spread accross.

> > And one
> > scenario where that would be great for a DoS:er is if he uses a botnet
> > (1000 weak clients) to attack a multitude of targets (1000 hosts) and
> > distributes the connections so each host connects say 60 connections to
> > each host. That would be very hard to block.

Precisely.


> > So, part two : Sockstress perform "stressing" operations on the remote
> > tcp stack. One such attack would be to use tarpitting approach, which
> > uses window size of 0 to consume server resources (= timers, as reported
> > by Security Now! podcast). Other such attacks have been hinted at, but
> > as far as I understand it, they have not been publicly revealed, is that
> > correct?

Reverse tar pitting concept, but yes. Implementations of the 0-window
attack can be seen in other tools, though it was included in sockstress for
completeness. That is the easiest example of what we were talking about,
but jack has submitted 5 others to vendors. He was working on 6 additional
attacks, but sadly, that research will have to be continued by someone else.

Rick Jones, and several of Jack's close friends (including me) are putting
together a Jack C. Louis foundation. We're hoping to raise donations for
this foundation to fund security research, such as these TCP
vulnerabilities.

> > Did Security Now! podcast get it correctly? Or only parts of it?

Mostly, yes. Funny enough, that podcast was one of the better that we
listened to. I didn't like their initial tone of coverage, but we did talk
to them on the phone for a couple hours after that podcast went live. Steve
seems to be a good guy.

Options: ReplyQuote
Re: Sockstress
Posted by: id
Date: April 09, 2009 05:56PM

Thanks for posting this!

-id

Options: ReplyQuote


Sorry, only registered users may post in this forum.