WHAT IS SOCKSTRESS?
A generic issue that affects the availability of TCP services. This issue could be used to create a Denial of Service attack. So far it is reported that this affects all systems running any service utilizing TCP, including Windows, Mac, Linux, and BSD.
Operating system makers may be forced to do some serious modifications to their TCP/IP stacks, thanks to the TCP sockstress vulnerability which has been hitting the news over the last few weeks.
TCP sockstress is a potentially serious generic issue in many operating systems that affects the availability of TCP services. Jack C. Louis, a security researcher at a Outpost 24, a network security company based in Karlskrona, Sweden discovered it. The company's CSO, Robert E. Lee, is the author of Unicornscan, a formidably fast scanner much loved by penetration testers which, unlike Nmap, has its own TCP/IP stack and which is capable of scanning an internal class B network (that's 65,000 + hosts) in less than three minutes.
A DoS attack exploiting the sockstress vulnerability uses half-open connections to deplete resources in the machines under attack. It very quickly causes specific services to become unavailable and may even require complete machine reboots.
What's worrying is that Louis claims the attack is effective against almost anything on a network (Windows, BSD, Linux, embedded systems TCP/IP stack implementations ... you name it), and the attack can be successful when packets are sent to a targeted machine at the rate of just one packet per second. Presumably, a bot would have to carry out such an attack (so the feds don't turn up at the attacker's door), but there would certainly be no need for a vast botnet or a high bandwidth connection to the Internet. By the sound of it, you could bring down a Web site with a single machine connected and an old AOL dial-up connection.
搜索了一下网上的资料,sockstress攻击的细节还没有披露,目前透露出来的只是
一些零星的信息。
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
是个不错的文章
sockstress攻击是由在芬兰的两个研究人员(其中一个是瑞典人),在开发一款大范
围扫描软件unicornscan(http: //www.unicornscan.org/),时发现的。当时他们
发现在自己扫描的过的一些机器,出现了重新启动的现象。
通过披露的信息能够证实:
1.有由于tcp的3次握手出现问题导致。
2.会造成tcp连接资源的耗尽,在某种情况下会造成设备的重启。
3.针对开启syn-cookie的功能的设备也是有效的。
4.该攻击需要真实的ip进行攻击。
5.使用了client-syn-cookie技术,减少了客户段的负载。
在一篇问答中,作者提到了:
/Jack [Robert’s partner] would like to stress that turning off server
side SYN-Cookie protection will not help and will only make you
open to syn flood attacks again (as stated in Fyodor’s article)./
尽管没有任何详细的信息披露,但是我发现作者多次提到了syn-cookie。而且他所
通知的存在问题的厂家好多是firewall和ips厂商。
我怀疑有可能是攻击者,发现了syn-cookie中存在的漏洞。在某种情况下能够准确
的推断出syn-cookie所回应的syn/ack的 sequence number。从而能直接通过发送
ack数据包,就能正常建立起连接。
这是我的判断,继续关注吧
2008年10月22日星期三
2008年9月1日星期一
pppoe+端口隔离实现小区宽带安全
PPPoE是个老话题了,就是在以太上引入ppp协议,从而解决以太网的鉴权、计费、流量控制等问题。其实从安全角度讲,它的最大意义就是消除了以太网中的arp,避免了多种欺骗。
至于端口隔离,就是说一台交换器的下联端口之间不允许通讯,每个下联口都只能与上连口通讯,它能解决多种与以太广播相关的安全问题。在这里实际上是PPPoE在安全方面的一个补充,防止PPPoE服务器欺骗(比如某个客户机伪装成一个PPPoE服务器,进行中间人攻击)。(from CU JohnBull)
至于端口隔离,就是说一台交换器的下联端口之间不允许通讯,每个下联口都只能与上连口通讯,它能解决多种与以太广播相关的安全问题。在这里实际上是PPPoE在安全方面的一个补充,防止PPPoE服务器欺骗(比如某个客户机伪装成一个PPPoE服务器,进行中间人攻击)。(from CU JohnBull)
订阅:
博文 (Atom)