Slashdot Mirror
Mac OS9 Flood Attack
Yoel Inbar writes "John Copeland, a professor at Georgia Tech, has discovered the possibility of using Macs running OS 9 as a distributed DOS tool. Basically, by sending a Mac running OS 9 a custom UDP packet, you can get it to reply with a 1500 byte ICMP packet(these packets are normally sent as part of MTU discovery). Send these UDP packets to a bunch of Macs, spoof the source addresses....voila, instant DOS.
Apparently this is "in the wild"; he reports several scans designed to elicit these packets. "
Here I have three slaves (199.77.146.20, 199.77.146.103, 199.77.158.61) being stimulated to send 30 1500-byte packets per second to address 24.88.48.47 (my cable modem). The combined bit rate is 3 x 30/s x 1500 bytes x 8 b/B = 1,080,000 bits/s. I could have increased the rate several times, but not much more would have interfered with the network.
-kris
Apple's servers seem to be down(coincidence?), but the fix should be right here:
n 11559
http://asu.info.apple.com/swupdates.nsf/artnum/
The difference here is that I can trigger a response much larger than the request. If I send an ICMP ping of 1000 bytes, the response is going to be 1000 bytes.
But with this attack, I can trigger a response of 1024 bytes by sending only 24 bytes. The idea being that I can fill the victims pipeline without filling my own.
But for the most part that's just bogus. The difference in size just isn't that great. A script kiddie will fill his own ppp bandwidth with the triggers long before whitehouse.gov gets overloaded with the payload. Also, much of the bottleneck is due to # of packets rather than # of bytes, and the # of packets is identical for attacker and victim.
Apple should fix the hole, but in the grand scheme of things this isn't huge security news, especially given the paucity of Mac servers on the Net (where this could really do some damage).
I think there would have to be an AWFUL LOT of Mac slaves to actually swamp a DS-3 connection. In fact, I bet it isn't even possible.
You mean a lot of MacOS 9.0 slaves. How old is 9.0 anyhow? Three months? There is already a low enough population of Macs on the live-connected Internet for this to be difficult to exploit, but they also have to be upgraded to a three-month old OS, too! "I don't think so, Tim."
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Don't know if this is related, but here is a link to the Cert Advisory discussing how Mac OS9 can be used as a 37.5 times DoS amplifier.
Hope this helps.
--Remove chicken to e-mail
How big is the ethernet frame that carries the 29 byte packet? 1500 bytes. This is a 1:1 attack. You could probably do twice as much damage if you just ping flooded from the unix box on the large pipe you rooted.
True, you get a bit of a multiplier in the response, but this still isn't an attack with a multiplier. Its not like the mac sends the same packet back out to the broadcast address which then starts all the other macs doing this. It would be more effective just to ping flood them from the rooted box on the big pipe. Think about it, if you have rooted a unix box on a fat pipe to coordinate the attack, why not just attack from there?
--
Mike Mangino Consultant, Analysts International
Mike Mangino
mmangino@acm.org
How is this 'supposed' new DoS attack different from what we've already seen?
Sounds simple in principle:
Pretend to be your target (IP spoof)
Ping a bunch of Macs
Watch real target fall over as all the Macs respond to the ping
How and why is this different? The 1500b packet? Is MacOS 9 unique in this?
Pardon my ignorance, just really curious.
-- What you do today will cost you a day of your life.
I'm not very familiar with IP spoofing, but isn't this possible with every system everywhere all the time?
If I sent ping packets with spoofed IPs to three hundred machines running any OS, wouldn't they respond with packets to the target machine?
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
well, this might be some 'hoax', but *someone* at apple posted a patch even though they seem to be off...
this is really standard stuff, there are at least as many misconfigured routers out there (on biggger pipes) than static IP OS9 machines... i doubt the existence of ANY Y2K plot using these machines...
anyway, the patch is at:
ftp://ftphqx.info.apple.com/Apple_Support_Area/
Those macs are good for something.
j/k
The copper bosses killed you, Joe. 'I never died', said he.
Now you can say to someone, 1930's gangster-style, that you're going to iWhack them.
I can see this kind of distributed DOS being called the 'iWhack Attack'.
.sig: Now legally binding!
apparently included in the ms investment, ms gave apple "some really good tcp/ip stack programmers."
US Citizen living abroad? Register to vote!
Wow, I never thought of using an OS's built-in networking code against itself, but heck, this sounds neat-O!
Really, this is a serious security issue. As an admin, I rue the day that OS9 is deployed if such a possibility remains "in the wild." Being stuck in the middle of AOL's subnet doesn't help, either, but at least eliminating this one source will save myself and countless others the hassle of hoping and praying that no script kiddie gets his hands on a tool to exploit this vulnerability.
I believe that this 3rd party patch may permit you to change your OT settings to prevent this.
Apple engineers and beta teams are on vacation until January 3. I don't know if this has already been addressed in the next patch to MacOS 9, but I guess they'll fix it now that it's known. Does this work in older versions of the MacOS?
bugger.net | MunkAndPhyber.com
"Help! My iMac is on UDP crack!"
No one ever installs those things. If every ISP filtered packets originating in the ISP with source addresses outside the ISP, smurf attacks (And several others) would be eliminated, too. The reasons are the same -- sheer ignorance. Bummer.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
yeah, except the ICMP_ECHO_REPLY is the same size as the ECHO_REQUEST you sent. Go read the good prof's write up. It points out that a 29 byte packet gets a 1500 byte reply. So your 33.6 modem could easily fill a T1. Try that with ICMP_ECHO.
Its not as bas as smurf was, but don't write this off.
Just in case you read this later, my mistake. The 29 byte UDP packet problem is still correct with a min transfer unit of 64 bytes, the smallest you can send is 64 bytes. Too much time looking at ATM : )
Thanks for setting me straight.
--
Mike Mangino Consultant, Analysts International
Mike Mangino
mmangino@acm.org
> Seriously, when has Apple's reaction ever been anything but "We have no official comment at this time"?
0 05
when they have something to say.
apple is not going to comment until they know exactly what is going on and have a patch.
if you'll notice and read some of the posts put up after yours, you'll discover that once apple did know what was going on and had a patch.. they commented and released the patch.
as for the apachebench bit, i think they did comment very quickly. i seem to pretty clearly remember reading a technote at apple's website about it. in fact i think that was where i first saw it, linked from macnn. i searched the Tech Info Library just now (which may not be the same as teh technotes) and was not able to locate what i thought i rememebred reading, but i did locate http://til.info.apple.com/techinfo.nsf/artnum/n59
which is a general OS X Server patch that seems to adress the apachebench problem.
i remember when the ping of death became a problem, but it was long enough ago i can't remember how apple handled it.
apple does not like to do anything unless they can be sure of what they're doing. they do not like releasing software before they think it's perfect. they do not like talking about unreleased software until they're certain it's ready to be talked about. they do not like to comment on things they don't know enough about to comment on correctly. this seems pretty reasonable to me-- at least, it's slightly better than vaporwaring and amplifying rumors based on information they haven't personally verified yet.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
MacOS 9 can be abused by an intruder to generate a large volume of traffic directed at a victim in response to a small amount of traffic produced by an intruder. This allows an intruder to use MacOS 9 as a "traffic amplifier," and flood victims with traffic. According to [3], an intruder can use this asymmetry to "amplify" traffic by a factor of approximately 37.5, thus enabling an intruder with limited bandwidth to flood a much larger connection. This is similar in effect and structure to a "smurf" attack, described in
http://www.cert.org/advisories/C A-98.01.smurf.html
Unlike a smurf attack, however, it is not necessary to use a directed broadcast to achieve traffic amplification.
and
Appendix A. Vendor Information Apple Computer We've reproduced the problem in our lab and we are working now to create a fix that can be easily distributed to our customers. The problem only affects customers running our most recent release of networking software on machines that are continuously attached to the internet.
While most Macintosh customers are not affected by this problem, we are moving quickly to put a solution in place.
While you are right in saying that trin00/TFN is a big problem, on has to remark, as you say yourself, the attack you mention needs a cracked box. :)), and I'll give you the IP-Adresses of 20 Macs with OS 9.
Show me ten boxes you have rooted (not your own please
The problem is that the script kiddies crack a few hosts sitting on T1s or better and then run the attack from there.
You might check out CERT's paper on distributed DoS attacks. They don't go into great detail, but it does explain how the kiddies operate.
Here's my question: Why aren't more ISPs filtering out IP packets that have a "From" address of a machine not covered by the ISP? If a router services an ip block of... say... 192.168.0.*, why doesn't it drop packets that don't come "from" that address? I suppose the big question is, why is address spoofing even an issue anymore? Is there some sort of roaming technology that might break? Can someone point out what would be back about this?
John Copeland has 42 patents on things as obvious as "Functionally Static Type Semiconductor Shift Register with Half Dynamic-Half Static Stages" and "Magnetic Bubble Enhanced Propagation Pulse Write for Lateral Displacement Coding". I'm all for patents and all, but not for obvious ones like these. This is as bad as Amazon! I think we should boycott him!
In short: Several products have been developed that use the delays and incongruities inherent to any TCP/IP stack to try and 'fingerprint' the OS. Nmap, for example, can tell the difference between Linux 2.0.xx, patched 2.0.xx, 2.1.xx and 2.2.xx. The TCP/IP stack only changed slightly between kernels, yet there is a discernable difference. None of these products, however, can sniff out one iota of difference between the Chicago, Win95, Win NT 4.0, Memphis or Win98 TCP/IP stacks. Why? They're the same! No change. Additional evidence: Notice how each and every one of the Microsoft OS's is/was vunerable to the same 'nuke' type attacks? This is very unlikely if they do not consist of the exact same code.
.sig: Now legally binding!
OS9 did run on the TRS-80 Color Computer, though FYI, it was third-party. And the developers (or whoever owns it now) weren't pleased by APple swiping the name.
a relawsuit.html.
See http://ww w.macobserver.com/news/99/september/990903/microw
(sigh) I need to keep up with my TLA's. I spent 5 minutes trying to figure out why being able to emulate a PC command line interpreter using distributed clients on Mac OS9 was anything worth freaking out over. :)
Sure, it's worth style points, but does CERT really need to know about it?
OK, this all seemed very strange, but I still had doubts that a mentally healthy professor of a respected university would spread hoax. But this was just too much. Quote:
:)
Apple has developed a patch, but it must be applied by OS-9 Macintosh owners before New Years Eve to be effective.
I guess someone has somehow acquired access to this guy's webpage and put all the BS there (like Mahir
The minimum ethernet frame is 64bytes. The actual UDP packet contains 29 bytes of data. Those bytes then get a UDP + IP header attached to it -- that's usually about 40 bytes. The ethernet card (driver, whatever) adds the ethernet MAC header (14 bytes?) and puts it on the cable...
Every layer the packet passes through with add and remove any necessary padding for transmission. For example, if that 69 byte IP frame were to pass through an ATM (AAL5) network, it would need two 53byte ATM cells.
They've updated their statement:
"Since CERT has posted their advisory this afternoon, it does appear to be something real. I still haven't been able to find any further internal information, but when I do, I will pass it along.
John"
http://discuss.info.apple.com/boards/macos.nsf/424 f8fb007a848d1862564c60074f8f1/5B274CA6 954706958625685500635B28?OpenDocument
"We have no official comment at this time.
Remember, we have a policy of not discussing unannounced updates. Once I find out any further
information, I will tell you what I can.
For one thing, it smells like a hoax to me. First, there is already a product called "OT Tuner"
from a third-party company (Sustainable Softworks), so we would be extremely unlikely to use
this name. Second, we would never supply any kind of "patch" software to an outside party
without making them sign a non-disclosure agreement. Third, most of the engineers were on
holiday at the end of last week, and it is very unlikely a patch could have been developed and
tested in such a short time without information going out internally within Apple (which hasn't
happened).
I'm not saying it is indeed a hoax, I'm just saying don't put a lot of validity to it until we know
more.
John Phelps
Forum Leader - Apple Support Discussions"
a) Have a very long list of Mac's running OS9
b) Send out a lot of UPD packets
In fact, you would have to send out as many packets as the attacked server will recieve. So basically, you have to have enough bandwidth to withstand your own DOS attack. Of course it does have the advantage of hiding your IP, but it sounds no more effective than "ping -f".
There's no reason for a sig here.
Maybe I'm completely missing something, but can't you just send it an ICMP ping request with a forged source address and have it send the response? This doesn't sound like anything special. Maybe if we could get some more information about the type of ICMP packet that is sent this could be helpful.
So normally, you send an ICMP response request packet (a ping packet) to a machine and it responds to you. This is a pretty simple concept. The problem is that you flood the connection with your ping requests. I believe ping floods are normally caused when you get the machine to respond on a broadcast or multicast address. If the mac just responds with a ping response, this isn't a very important discovery.
However, there are other kinds of ICMP (Internet Control Message Protocol) packets. Maybe this isn't a straight ping request or ping response flood. Unfortunately, there isn't more information provided about it. Can someone post more information?
--
Mike Mangino Consultant, Analysts International
Mike Mangino
mmangino@acm.org
Is there something peculiar to OS9 that leaves it vulnerable to this attack? What about other OSs? Can they detect a spoof?
Jazilla.org - the Java Mozilla
It's 10 PM. Do you know if you're un-American?
I mean, first the guy can't even properly spell OS 9 (there isn't a dash). Then he says that the attack can be easily perpetrated by people with root access to a large university system, as long as they can then erase all logs of their activity.
Yup. Sounds easy as pie to me.
Then there's some of his "proof", like the CERT email. From which he removes a paragraph with no indication what it used to say, and removes the PGP signature. It also merely talks about a completely different attack, and says "if we get time to look at this alleged OS 9 thing, we'll try."
Just smells fishy to me.
ryan
This page presents evidence of a conspiracy to shut down Internet Connections. Zero-hour is probably New Years Eve, EST.
And how exactly is this more dangerous than trin00 / Tribe Flood Network? For those who haven't heard of trin00/TFN, it is networks of hundreds of r0043d machines on the Internet, each running daemons with the sole purpose of flooding any IP from widely scattered machines, all under the control of 5kr1p4 k1dd3z.
I suppose if the trin00/TFN code were updated to support this new kind of DoS as an option, it could be bad, but a bug like this can not be easily exploited to disrupt the internet itself, since Macs make up such a small population of the "live" Internet.
This is not to say that the DoS can't be launched against the MacOS 9.0 machines themselves, but the potential for widespread 1/1/2000 mischief is limited.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Nope. There was an "issue" with Win98 and one of the Win2K betas or RCs and IGMP floods. They'd cause a bluescreen in the affected versions of Win98 and Win2K, but didn't in Win95 or NT4.
CERT Advisory
37.5x traffic amplication. Wheeeeeeee.
Although that is incredibly dangerous, this guy is actually making a claim of an expected international y2k attack on the basis of two foreign port scans. hmmmm. Someone had a bit too much coffee.
Anyhow, I can't seem to find any reference of this on Bugtraq. He appears to have only informed CERT and his local network admin.
matt
Guess it's not a hoax, and I have to give props to Apple for the quick response...
n 11559
http://asu.info.apple.com/swupdates.nsf/artnum/
Description
OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS)
issues.
To install, drag the OT Tuner 1.0 file to the System Folder (the tuner will be put in the extensions folder for you). Then restart your Macintosh.
The Mac Resource Page had the best coverage of this DoS attack, imho. They cover it a lot better and in more detail than I could, so instead of repeating their words, I'll just post a link to them here: http://www.macresource.com/. Apple did indeed release a patch today by the name of "Open Transport Tuner". You can find it at the Apple Software Library (http://asu.info.apple.com/) on the "Recent Changes" page.
He's just jealous that they ended up not naming their OS after him.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I defer to a recently-received email from Geoff Duncan, technical editor of Tidbits.com:
*****
Date: Tue, 28 Dec 1999 13:06:31 -0800
From: Geoff Duncan
Subject: Re: Mac DoS Attack
While the attack outlined by Copeland is feasible, it's worth noting the 1500-byte ICMP responses he describes are not isolated to Mac OS 9, and are more-or-less standard practice in a number of networking implementations, regardless of whether those are based on Mentat's STREAMS. Macs running Mac OS 9 are by no means the only systems which demonstrate this behavior; in fact, I can easily make a number of dedicated routers behave the same way. If I were a cracker intent on causing damage with this sort of attack, why would I bother to locate Macintoshes on DSL or cable modem networks when I can utilize the same behaviors in thousands of routers all over the Internet, each of which is presumably easy to locate and has reasonable (or excessive) amounts of bandwidth at its disposal?
The amplification attack Copeland describes involved gaining root access to a box with a big pipe - probably something running a flavor of Linux, Unix, or NT - and creating home-make forged packets. There are a number of potentially devastating attacks that can be launched under those circumstances that have nothing to do with Macs. TidBITS has been treated to a small selection of these sorts of attacks for the last several weeks. Calling for Mac OS 9 computers to be patched or taken off the net is not going to solve the problem or eliminate the feasibility of the attack Copeland describes.
Also, Copeland's speculation that the datagrams he detected are probes pursuant to Macintosh-specific News Year's Eve attacks are best described as unsubstantiated speculation. At worst, they might be described as irresponsible. I would hope any further coverage this report gains in the Macintosh press will be more objective than what's currently playing on the standard "rumor" sites.
*****
The purpose of this scheme, which I call a "Mac DoS Attack," is to generate a large amount of ICMP Internet traffic going to a specific target. This scheme can be replicated to attack many different targets, with little chance that the perpetrators will be caught. Phase I - Scanning The attackers run computer programs that sends UDP packets to every Internet address in the address ranges assigned to CATV cable modem and ADSL modem providers. Addresses that have Macintosh computers attached and operating will respond with a 1500-byte ICMP packet. These addresses are kept in a list for Phase 2. I will refer to the Macintosh computers at these addresses as "slaves."Phase 2 - Attack A computer at a location like a University is "root compromised." This means the aggressor group has used one of the many well-known techniques to gain the administrator password so they can load their own programs, which may be scheduled to run at a later time (like Christmas Eve or New Year's Eve). The compromised computer is given a list of addresses for 40 slaves, and the address of a specific target. The log files are erased so that no one will later be able to tell who installed the attack program. When the attack program starts running, it sends trigger packets in rotation to the forty or more slaves on its list. The source (return) Internet address is forged to be that of the target. The slaves then send a 1500 byte ICMP packet to the target each time they receive a 40-byte trigger packet. If the attack computer sends 4000 40-byte trigger packets per second (bit rate less than 1.3 Mbps), the slave will send 4000 1500-byte packets to the target (bit rate 48 Mbps). |-------------> Slave ------------>| Control |-------------> Slave ------------>| Computer ------->|-------------> Slave ------------>|-------> Target |-------------> Slave ------------>| | * * * | 4000 1500-byte 4000 40-B pkt/s 100 40-B pkt/s 100 1500-B pkt/s ICMP pkts/s to each slave from each slave = 48 Mbps This figure shows the process of "byte amplification." The target organization (or organizations) is cut off from the Internet because it's connection, a 1.5 Mbps (million bit per second) T-1 or a 45 Mbps DS-3 digital line is swamped with ICMP packets from forty different sources. Note that 30 different T-1 connections could be swamped by varying the return addresses in the trigger packets).
Had to search the web site a little to find this, so I thought I'd post it to make people's lives easier. The problem I see with the theory above is that: what ADSL/Cable connection could support 48 Mbps of data from the Macs? I think there would have to be an AWFUL LOT of Mac slaves to actually swamp a DS-3 connection. In fact, I bet it isn't even possible.