New Denial-of-Service Attack Is a Killer

ancientribe writes "Hacker RSnake blogs about a newly discovered and deadly denial-of-service attack that could well be the next big threat to the Internet as a whole. It goes after a broadband Internet connection and KOs machines on the other end such that they stay offline even after the attack is over. It spans various systems, too: the pair of Swedish researchers who found it have already contacted firewall, operating system, and Web-enabled device vendors whose products are vulnerable to this attack." Listen to the interview (MP3) — English starts a few minutes in — and you might find yourself convinced that we have a problem. The researchers claim that they have been able to take down every system with a TCP/IP stack that they have attempted; and they know of no fix or workaround.

fearmongering

[passthecrackpipe]

While it is pretty interesting, and disturbing, we are once again faced with a "The Internet Will Cease To Exist And Your Brain Will Explode" vulnerability. We dont know exactly how it works, we dont know exactly what to do to stop it, fixes are not available, and we are all doomed. The podcast goes into enough detail about how they discovered it to be replicated by skilled evildoers without too much trouble, but nobody knows how long, easy or invasive a fix is going to be.

Re:fearmongering

[MyLongNickName]

Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot. The author has known them for years from (presumably) T-Ball league. How can you argue with that?

(this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)

Re:fearmongering

[morgan_greywolf]

Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot.

Seriously....just saying "Yeah, these two dudes I know can break the whole Internet. Trust me. I've known them a long time." is just completely lame and useless.

The article is nothing more than fear mongering and fudfudfud (please tag appropriately). Unless there's something to the interview beyond "I know how to break the Interwebs!!!", I'm from Missouri on this one.

Re:fearmongering

[__aamnbm3774]

I am no networking Guru by any means, but after listening to the mp3, I don't see how this isn't fixable. Just based on the way routers will 'continue to spit out the same packet over and over' seems like a pure implementation issue of the TCP/IP stack.

Please correct me if I am wrong, but I don't see how this cannot be fixed. Another super-scary (and warrantless) slashdot headline and summary IMHO.

Re:fearmongering

[Yvanhoe]

(this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)

Yes, limiting the possibilities to comment is clearly a bad idea. /. summaries have always been quite bad for as long I can remember it, but all the informational value is in the comments. Where else can you see a fearmongering article, people making some obvious remarks, getting insightful retorts to finally end on a +5 comment coming from a guy working in the lab TFA mentions ?

Slashdot, don't fear posters. Your moderation system filters spam (and as*holeness) with enough efficiency, don't add nagging features !

Re:fearmongering

[Goaway]

That kind of restriction does pretty much nothing at all to stop any kind of crapflood.

See, crapflooders are not limited to using one IP or one account, unlike legitimate users.

Transcript

[commanderfoxtrot]

Do people really have time to listen to podcasts unless they are commuting?

Is there a transcript???

Re:Go for it, take on my machine!

[erayd]

Unless it's a generic vulnerability in the TCP spec, in which case almost every implementation of it would be vulnerable - including all those Linux machines. Linux is not some magical shield, it takes responsible use to keep it secure.

Power grids?

[Porchroof]

Why do I constantly find stories about how our power grids, nuclear energy sites, military bases, Federal government, etc., etc., will be taken down by Internet hackers? Please don't tell me that all of those resouces are accessible over the Internet. Why in God's name would put such resources on the Interet?

Re:Go for it, take on my machine!

[apathy+maybe]

Of course Linux is not a magical shield. But having a diverse eco-system is known to protect against many attacks.

One of the reasons stories about how the banana is going extinct come up every few years is because the "modern" banana that most people in the over developed world can buy, are all clones! One disease can attack all the plants in the same manner.

In the same way, computers that have the same OS tend to be vulnerable to the same attack. Because there are a lot more OSs based around Linux (and BSD), people running these OSs are less vulnerable, because they are in a diverse eco-system. Especially when these kernels and the user-land tools are FLOSS.

As such, yes, it maybe a generic vulnerability in the TCP spec. (though how likely is that?), however, it is not specified, which is why I asked if it did affect *nix.

If nothing else, due to the nature of FLOSS, the attack could quickly be coded around as soon as it is known, and then pushed out to many many people running auto-update systems (such as Debian, Ubuntu and similar). (Even if that breaks the spec.)

The sky is falling!

[Lord+Byron+II]

Quickly, go yank the cable/dsl connection right out of the wall before its too late!

Come on... I'm not going to listen to mp3, but the /. summary and the article both are dangerously low on details. This effects every machine with a TCP/IP stack? IPv4 and IPv6? Leaves the machines in a permanent state of DOS? There's no prevention? No fix? And you can't even test it because it might take down "other devices between here and there"?

Pardon me, I'm off to find myself a huge grain of salt.

Something strange...

[nweaver]

It sounds like a blind resource consumption attack against SYN-cookie implementations, no? (Without SYN-cookies, the attack is trivial, just spoof SYNs).

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html

SYN-cookies are a simple idea. Upon receiving a SYN, rather than creating all the state, the server returns a SYN/ACK with the SEQ value = H(IP,ACK value). Thus when it sees the ACK packet it can check that the value is returned, and then create all the state.

If this is the case, it seems to require that a SYN-cookie be predictible, that the attacker can probe a client to predict what H(IP,ACK value) is. IF that is the case then there is an easy fix: simply use more and better random data as salt in a better hash function.

Simply because ANY blind resource consumption attack against a SYN-cookie server requires knowing what the SEQ value from the server for the SYN/ACK in order to establish a connection by sending the proper ACK (and then some data to load the server further).

If the attacker can't predict the SYN/ACK's SEQ value, it can't construct a proper ACK and cause the server to consume resources.