New Denial-of-Service Attack Is a Killer

← Back to Stories (view on slashdot.org)

New Denial-of-Service Attack Is a Killer

Posted by kdawson on Wednesday October 1, 2008 @12:08AM from the fighting-a-resource-war-with-an-unfair-advantage dept.

ancientribe writes "Hacker RSnake blogs about a newly discovered and deadly denial-of-service attack that could well be the next big threat to the Internet as a whole. It goes after a broadband Internet connection and KOs machines on the other end such that they stay offline even after the attack is over. It spans various systems, too: the pair of Swedish researchers who found it have already contacted firewall, operating system, and Web-enabled device vendors whose products are vulnerable to this attack." Listen to the interview (MP3) — English starts a few minutes in — and you might find yourself convinced that we have a problem. The researchers claim that they have been able to take down every system with a TCP/IP stack that they have attempted; and they know of no fix or workaround.

27 of 341 comments (clear)

Min score:

Reason:

Sort:

fearmongering by passthecrackpipe · 2008-10-01 00:13 · Score: 5, Insightful

While it is pretty interesting, and disturbing, we are once again faced with a "The Internet Will Cease To Exist And Your Brain Will Explode" vulnerability. We dont know exactly how it works, we dont know exactly what to do to stop it, fixes are not available, and we are all doomed. The podcast goes into enough detail about how they discovered it to be replicated by skilled evildoers without too much trouble, but nobody knows how long, easy or invasive a fix is going to be.

--
People who think they know everything are a great annoyance to those of us who do.
1. Re:fearmongering by MyLongNickName · 2008-10-01 00:18 · Score: 5, Insightful
  
  Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot. The author has known them for years from (presumably) T-Ball league. How can you argue with that?
  (this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
2. Re:fearmongering by morgan_greywolf · 2008-10-01 00:37 · Score: 5, Insightful
  
  Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot.
  Seriously....just saying "Yeah, these two dudes I know can break the whole Internet. Trust me. I've known them a long time." is just completely lame and useless.
  The article is nothing more than fear mongering and fudfudfud (please tag appropriately). Unless there's something to the interview beyond "I know how to break the Interwebs!!!", I'm from Missouri on this one.
  
  --
  My blog
3. Re:fearmongering by __aamnbm3774 · 2008-10-01 01:35 · Score: 3, Insightful
  
  I am no networking Guru by any means, but after listening to the mp3, I don't see how this isn't fixable. Just based on the way routers will 'continue to spit out the same packet over and over' seems like a pure implementation issue of the TCP/IP stack.
  
  Please correct me if I am wrong, but I don't see how this cannot be fixed. Another super-scary (and warrantless) slashdot headline and summary IMHO.
4. Re:fearmongering by Yvanhoe · 2008-10-01 01:50 · Score: 4, Insightful
  
  (this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)
  Yes, limiting the possibilities to comment is clearly a bad idea. /. summaries have always been quite bad for as long I can remember it, but all the informational value is in the comments. Where else can you see a fearmongering article, people making some obvious remarks, getting insightful retorts to finally end on a +5 comment coming from a guy working in the lab TFA mentions ?
  
  Slashdot, don't fear posters. Your moderation system filters spam (and as*holeness) with enough efficiency, don't add nagging features !
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
5. Re:fearmongering by Goaway · 2008-10-01 02:15 · Score: 3, Insightful
  
  That kind of restriction does pretty much nothing at all to stop any kind of crapflood.
  See, crapflooders are not limited to using one IP or one account, unlike legitimate users.
6. Re:fearmongering by Arthur+Grumbine · 2008-10-01 02:28 · Score: 2, Insightful
  
  To support your assertion of a slashvertisement in the replies here there seems to be a strong redundancy of links to this "smart dude's" blog, posted by ACs.
  
  Whether the threat is real or not, someone seems to be intent on getting as much attention as possible.
  
  --
  Now that I think about it, I'm pretty sure everything I just said is completely wrong.
7. Re:fearmongering by passthecrackpipe · 2008-10-01 18:56 · Score: 2, Insightful
  
  WTF? "Answer some questions"? there is 1 question, and it looks like you posted that yourself. blog whoring and fearmongering. Oh, and i did listen to the whole podcast.
  
  --
  People who think they know everything are a great annoyance to those of us who do.
Transcript by commanderfoxtrot · 2008-10-01 00:14 · Score: 4, Insightful

Do people really have time to listen to podcasts unless they are commuting?
Is there a transcript???

--
http://blog.grcm.net/
1. Re:Transcript by TheBig1 · 2008-10-01 05:54 · Score: 2, Insightful
  
  I agree wholeheartedly.
  
  Even worse are the new video blogs (not quite sure if it's blogs, or tutorials or what...), I am seeing them all the time when searching for a technical question (e.g., "how to do X on system Y"). I don't want to watch a 5 minute tutorial - I want to find the one line command to do something!
  
  Cheers
2. Re:Transcript by EveLibertine · 2008-10-01 06:49 · Score: 2, Insightful
  
  Do people really have time to listen to podcasts unless they are commuting?
  Is there a transcript???
  To answer your question before I start my tirade: From the blog in question, "The podcast is still the most complete public source of information for these findings." http://blog.robertlee.name/
  
  I know what you mean. Audio or video are pretty poor for the rate of information disseminated compared to text. This is doubly true when the creators aren't formally trained (presenters aren't actors, or the script is not professionally written). Then you wind up with unskilled individuals all over the internet blundering through 5 minutes of speech, or fumbling their way through what would have been an otherwise interesting interview, if only they had just transcribed the whole thing to text and posted it somewhere. Then it'd take the rest of us 30 seconds to get the information, instead of 5 minutes of pain and suffering listening to or watching some horrible recording.
  
  There are obvious exceptions to this, but 9 times out of 10 I just want to read so I can get the most of the experience in the most efficient manner.
this is not news... it's a reach around... by Anonymous Coward · 2008-10-01 00:17 · Score: 1, Insightful

FTFA... "Robert and Jack are smart dudes"
yep ... and i'm scared now cuz the smart dudes told us the sky is falling, but don't ask why, they are working with the "vendors" in secret. which must be a lot since this affects every tcp/ip stack in existence.
who is jacking off who here?
Re:Go for it, take on my machine! by erayd · 2008-10-01 00:20 · Score: 5, Insightful

Unless it's a generic vulnerability in the TCP spec, in which case almost every implementation of it would be vulnerable - including all those Linux machines. Linux is not some magical shield, it takes responsible use to keep it secure.

--
Forget world peace, bring on -1 pointless
Power grids? by Porchroof · 2008-10-01 00:28 · Score: 3, Insightful

Why do I constantly find stories about how our power grids, nuclear energy sites, military bases, Federal government, etc., etc., will be taken down by Internet hackers? Please don't tell me that all of those resouces are accessible over the Internet. Why in God's name would put such resources on the Interet?

--
Fata viam invenient.
Re:Go for it, take on my machine! by apathy+maybe · 2008-10-01 00:34 · Score: 4, Insightful

Of course Linux is not a magical shield. But having a diverse eco-system is known to protect against many attacks.
One of the reasons stories about how the banana is going extinct come up every few years is because the "modern" banana that most people in the over developed world can buy, are all clones! One disease can attack all the plants in the same manner.
In the same way, computers that have the same OS tend to be vulnerable to the same attack. Because there are a lot more OSs based around Linux (and BSD), people running these OSs are less vulnerable, because they are in a diverse eco-system. Especially when these kernels and the user-land tools are FLOSS.
As such, yes, it maybe a generic vulnerability in the TCP spec. (though how likely is that?), however, it is not specified, which is why I asked if it did affect *nix.
If nothing else, due to the nature of FLOSS, the attack could quickly be coded around as soon as it is known, and then pushed out to many many people running auto-update systems (such as Debian, Ubuntu and similar). (Even if that breaks the spec.)

--
I wank in the shower.
The sky is falling! by Lord+Byron+II · 2008-10-01 00:45 · Score: 3, Insightful

Quickly, go yank the cable/dsl connection right out of the wall before its too late!
Come on... I'm not going to listen to mp3, but the /. summary and the article both are dangerously low on details. This effects every machine with a TCP/IP stack? IPv4 and IPv6? Leaves the machines in a permanent state of DOS? There's no prevention? No fix? And you can't even test it because it might take down "other devices between here and there"?
Pardon me, I'm off to find myself a huge grain of salt.
Re:They might have missed a small detail by JayJay.br · 2008-10-01 00:54 · Score: 2, Insightful

It reaches you in that no one else can see you on the Internet. If all routes are down, you can't communicate. Done, denial of service at its best, even if no packet ever reaches your interface.
That, still assuming that all of this is true.
the cutoff jokes are just old by jdunn14 · 2008-10-01 01:10 · Score: 1, Insightful

Every time there's a story about a connection dying or a machine crashing we see a flood of posts that end lik
It was funny _once_. Maybe. Be more creative. I'm trying to waste my day at work reading /. so could you people make up some new ones? And I'm not going to even delve into the fact that thanks to the ways posting content to a website works the failure wouldn't look remotely like this... we're not all on modems connecting to a BBS.
Let's give them the benifit of the doubt by Maguscrowley · 2008-10-01 01:13 · Score: 2, Insightful

Let's assume that they have actually discovered this industry sweeping exploit.
So they went and contacted the vendors like good white hats. Now, if their intent was in being contributers to the greater good of security they would stop at this level of correspondence and work with the companies until the problem is fixed.
However, they released this article to inform the public. Normally when someone does this it is with the intension of providing the public with the knowledge, tools, or rallying them activism towards the end of making the upstream change things. This article does not constructively inform in this way and does not give the end user something to throw upstream. Then what is this article accomplishing?
The fact that we are discussing this and that we have, theoretically, RTFA implies that we have exposed ourselves to their names, tools, and services. It also, loosely implies a need for their services and their "skill." Quotations are entered around "skill" as I the reader have no way of actually confirming their skill because of the lack of real material to observe. From this perspective, I am tempted to conclude that this article serves as little more then an advertisement for their services and a cry for attention.
What then, you may ask. Do I suggest that they leak "dangerous" information and risk their horror story becoming reality? No; rather I propose that if their intentions were really to protect the Internet, they should have stopped the discussion of their research from the immediate parties involved.
I do not necessarily advocate any of these stances as this analysis is meant to be normative.
Re:More scares, AND A TEMPORARY FIX! by Rob+Kaper · 2008-10-01 01:14 · Score: 2, Insightful

Simple: put that line before your network cards are initialised. That's rc.inet1 in Slackware, YMMV elsewhere.
Re:Pfffft by Anonymous Coward · 2008-10-01 01:28 · Score: 1, Insightful

Metamoderate -1 clueless. Whoosh!
Too many Microsoft fanboy moderators ...
Something strange... by nweaver · 2008-10-01 01:30 · Score: 3, Insightful

It sounds like a blind resource consumption attack against SYN-cookie implementations, no? (Without SYN-cookies, the attack is trivial, just spoof SYNs).
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
SYN-cookies are a simple idea. Upon receiving a SYN, rather than creating all the state, the server returns a SYN/ACK with the SEQ value = H(IP,ACK value). Thus when it sees the ACK packet it can check that the value is returned, and then create all the state.
If this is the case, it seems to require that a SYN-cookie be predictible, that the attacker can probe a client to predict what H(IP,ACK value) is. IF that is the case then there is an easy fix: simply use more and better random data as salt in a better hash function.
Simply because ANY blind resource consumption attack against a SYN-cookie server requires knowing what the SEQ value from the server for the SYN/ACK in order to establish a connection by sending the proper ACK (and then some data to load the server further).
If the attacker can't predict the SYN/ACK's SEQ value, it can't construct a proper ACK and cause the server to consume resources.

--
Test your net with Netalyzr
Re:Pfffft by Anonymous Coward · 2008-10-01 01:42 · Score: 1, Insightful

> ...move up to Windows 3.1. That is where it is at.
Nah. Try O/S 2 Warp instead. You'll be glad you did.
Re:Pfffft by mikael_j · 2008-10-01 01:49 · Score: 2, Insightful

Could it be that you're talking about MS Windows 3.1 instead of Windows NT 3.1 that the parent seems to be talking about? Because NT 3.x was a completely different beast from regular Win 3.1.
/Mikael

--
Greylisting is to SMTP as NAT is to IPv4
Re:Go for it, take on my machine! by SL+Baur · 2008-10-01 02:03 · Score: 2, Insightful

Of course Linux is not a magical shield. But having a diverse eco-system is known to protect against many attacks.
Amen! Even so, I would expect to see patches coming from David Miller shortly if Linux is truly vulnerable. Similar to how Linux was the first system to be protected against the F00F Intel Pentium hardware bug.
Re:Don't Give Them The Power!!! by jjohnson · 2008-10-01 03:56 · Score: 2, Insightful

Because if we don't discuss it, vendors will think that it doesn't need to be fixed, and won't fix it. I'm all for giving vendors some lead time to come up with solutions to discovered attacks, but history has plainly shown that the only way to compel vendors to fix security problems is to publicize them.
And keep in mind: The fact that we're not discussing it doesn't mean it's not getting discussed in other circles who look to use it for less noble things than correcting defects.

--
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Re:How this really SEEMS to work... by Space_Pirate_Arrr · 2008-10-01 10:52 · Score: 1, Insightful

Thus I think its only really relevant if you wanted to DOS google, akamai, or some similar very-high-resource infrastructure.
If someone wants to use this trick to "DOS google, akamai, or some similar very-high-resource infrastructure" then I think that is very relevant to us all.