Title : Phrack loopback
Author : Phrack Staff
.oO Phrack Magazine Oo.
Volume Seven, Issue Forty-Nine
File 2 of 16
Phrack Loopback
-----------------------------------------------------------------------------
[The Netly News]
September 30, 1996
Today, Berkeley Software Design, Inc. is expected to publicly release
a near-perfect solution to the "Denial of Service," or SYN flooding attacks,
that have been plaguing the Net for the past three weeks. The fix, dubbed
the SYN cache, does not replace the need for router filtering, but it is
an easy-to-implement prophylaxis for most attacks.
"It may even be overkill," says Alexis Rosen, the owner of Public
Access Networks. The attack on his service two weeks ago first catapulted
the hack into public consciousness.
The SYN attack, originally published by Daemon9 in Phrack, has
affected at least three service providers since it was published last month.
The attack floods an ISP's server with bogus, randomly generated connection
requests. Unable to bear the pressure, servers grind to a halt.
The new code, which should take just 30 minutes for a service provider
to install, would keep the bogus addresses out of the main queue by saving two
key pieces of information in a separate area of the machine, implementing
communication only when the connection has been verified. Rosen, a master of
techno metaphor, compares it to a customs check. When you seek entrance to a
server, you are asked for two small pieces of identification. The server then
sends a communique back to your machine and establishes that you are a real
person. Once your identity is established, the server grabs the two missing
pieces of identification and puts you into the queue for a connection. If
valid identification is not established, you never reach the queue and the
two small pieces of identification are flushed from the system.
The entire process takes microseconds to complete and uses just a few
bytes of memory. "Right now one of these guys could be on the end of a 300-baud
modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these
fixes, they just won't matter." still, Urner stresses that the solution does
not reduce the need for service providers to filter IP addresses at the router.
Indeed, if an attacker were using a T1 to send thousands of requests per
second, even the BSDI solution would be taxed. For that reason, the developers
put in an added layer of protection to their code that would randomly drop
connections during an overload. That way at least some valid users would
be able to get through, albeit slowly.
There have been a number of proposed solutions based on the random-drop
theory. Even Daemon9 came up with a solution that looks for any common
characteristics in the attack and learns to drop that set of addresses. For
example, most SYN attacks have a tempo -- packets are often sent in
five-millisecond intervals -- When a server senses flooding it looks for these
common characteristics and decides to drop that set of requests. Some valid
users would be dropped in the process, but the server would have effectively
saved itself from a total lockup.
Phrack editor Daemon9 defends his act of publishing the code for the
attack as a necessary evil. "If I just put out a white paper, no one is
going to look at this, no one is going to fix this hole," he told The
Netly News. "You have to break some eggs, I guess.
To his credit, Daemon9 actually included measures in his code that made
it difficult for any anklebiting hacker to run. Essential bits of information
required to enable the SYN attack code could be learned only from reading
the entire whitepaper he wrote describing the attack. Also, anyone wanting to
run the hack would have to set up a server in order to generate the IP
addresses. "My line of thinking is that if you know how to set a Linux up
and you're enough in computers, you'll have enough respect not to do this,"
Daemon9 says. He adds, "I did not foresee such a large response to this."
Daemon9 also warns that there are other, similar protocols that can be
abused and that until there is a new generation of TCP/IP the Net will be open
to abuse. He explained a devastating attack similar to SYN called ICMP Echo
Flood. The attack sends "ping" requests to a remote machine hundreds of times
per second until the machine is flooded.
"Don't get me wrong," says Daemon9. "I love the Net. It's my bread and
butter, my backyard. But now there are too many people on it with no concern
for security. The CIA and DOJ attacks were waiting to happen. These holes were
pathetically well-known."
--By Noah Robischon
[ Hmm. I thought quotation marks were indicative of verbatim quotes. Not
in this case... It's funny. You talk to these guys for hours, you *think*
you've pounded the subject matter into their brains well enough for them to
*at least* quote you properly... -d9 ]
[ Ok. Loopback was weak this time. We had no mail. We need mail. Send us
mail! ]
----<>----