WHAT IS SOCKSTRESS?
A generic issue that affects the availability of TCP services. This issue could be used to create a Denial of Service attack. So far it is reported that this affects all systems running any service utilizing TCP, including Windows, Mac, Linux, and BSD.
Operating system makers may be forced to do some serious modifications to their TCP/IP stacks, thanks to the TCP sockstress vulnerability which has been hitting the news over the last few weeks.
TCP sockstress is a potentially serious generic issue in many operating systems that affects the availability of TCP services. Jack C. Louis, a security researcher at a Outpost 24, a network security company based in Karlskrona, Sweden discovered it. The company's CSO, Robert E. Lee, is the author of Unicornscan, a formidably fast scanner much loved by penetration testers which, unlike Nmap, has its own TCP/IP stack and which is capable of scanning an internal class B network (that's 65,000 + hosts) in less than three minutes.
A DoS attack exploiting the sockstress vulnerability uses half-open connections to deplete resources in the machines under attack. It very quickly causes specific services to become unavailable and may even require complete machine reboots.
What's worrying is that Louis claims the attack is effective against almost anything on a network (Windows, BSD, Linux, embedded systems TCP/IP stack implementations ... you name it), and the attack can be successful when packets are sent to a targeted machine at the rate of just one packet per second. Presumably, a bot would have to carry out such an attack (so the feds don't turn up at the attacker's door), but there would certainly be no need for a vast botnet or a high bandwidth connection to the Internet. By the sound of it, you could bring down a Web site with a single machine connected and an old AOL dial-up connection.
搜索了一下网上的资料,sockstress攻击的细节还没有披露,目前透露出来的只是
一些零星的信息。
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
是个不错的文章
sockstress攻击是由在芬兰的两个研究人员(其中一个是瑞典人),在开发一款大范
围扫描软件unicornscan(http: //www.unicornscan.org/),时发现的。当时他们
发现在自己扫描的过的一些机器,出现了重新启动的现象。
通过披露的信息能够证实:
1.有由于tcp的3次握手出现问题导致。
2.会造成tcp连接资源的耗尽,在某种情况下会造成设备的重启。
3.针对开启syn-cookie的功能的设备也是有效的。
4.该攻击需要真实的ip进行攻击。
5.使用了client-syn-cookie技术,减少了客户段的负载。
在一篇问答中,作者提到了:
/Jack [Robert’s partner] would like to stress that turning off server
side SYN-Cookie protection will not help and will only make you
open to syn flood attacks again (as stated in Fyodor’s article)./
尽管没有任何详细的信息披露,但是我发现作者多次提到了syn-cookie。而且他所
通知的存在问题的厂家好多是firewall和ips厂商。
我怀疑有可能是攻击者,发现了syn-cookie中存在的漏洞。在某种情况下能够准确
的推断出syn-cookie所回应的syn/ack的 sequence number。从而能直接通过发送
ack数据包,就能正常建立起连接。
这是我的判断,继续关注吧
2008年10月22日星期三
2008年10月16日星期四
订阅:
博文 (Atom)