Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS9 Flood Attack

Posted by CmdrTaco on from the creative-ways-to-waste-bandwidth dept.

Yoel Inbar writes "John Copeland, a professor at Georgia Tech, has discovered the possibility of using Macs running OS 9 as a distributed DOS tool. Basically, by sending a Mac running OS 9 a custom UDP packet, you can get it to reply with a 1500 byte ICMP packet(these packets are normally sent as part of MTU discovery). Send these UDP packets to a bunch of Macs, spoof the source addresses....voila, instant DOS. Apparently this is "in the wild"; he reports several scans designed to elicit these packets. "

13 of 185 comments (clear)

  1. Re:Can we get more information by Rilke · · Score: 3

    The difference here is that I can trigger a response much larger than the request. If I send an ICMP ping of 1000 bytes, the response is going to be 1000 bytes.

    But with this attack, I can trigger a response of 1024 bytes by sending only 24 bytes. The idea being that I can fill the victims pipeline without filling my own.

    But for the most part that's just bogus. The difference in size just isn't that great. A script kiddie will fill his own ppp bandwidth with the triggers long before whitehouse.gov gets overloaded with the payload. Also, much of the bottleneck is due to # of packets rather than # of bytes, and the # of packets is identical for attacker and victim.

    Apple should fix the hole, but in the grand scheme of things this isn't huge security news, especially given the paucity of Mac servers on the Net (where this could really do some damage).

  2. the microsoft investment... by kevin+lyda · · Score: 5

    apparently included in the ms investment, ms gave apple "some really good tcp/ip stack programmers."

    --
    US Citizen living abroad? Register to vote!
  3. OT Advanced Tuner by waldoj · · Score: 3

    I believe that this 3rd party patch may permit you to change your OT settings to prevent this.

  4. Re:A new hacking tool? ;) by barbaBob · · Score: 3
    I take it that you don't deploy Windows 95, 98 or NT either because of the vulnerabilities that those particular operating systems have, especially in networked environments?

    What strikes me as a bit weird is that whenever the MacOS operating system has such a vulnerability everybody is going ballistic, like if it proves a point they have been making all along. Might be my peculiar way of looking at things tho :)

    I've been working with all three operating systems for quite a few years now, and MacOS - at least up to 8.6 - remains the most secure out-of-the-box operating system out. A well tuned and maintained Mac server remains one of the most secure internet platforms out there. Is up and running in less than a minute, a snap to set up and maintain.

    Of course, it has purposes it's best suited for and situations you'd rather not use one. Same goes for Linux, or any other operating system out there. Which is why I use MacOS, Linux and IRIX, and as little NT as possible :)

    Cya
    bBob

    (who is very happily running a mixed MacOS/Linux setup)

    --

    --
    *sig*

  5. Boycott John Copeland! by SPorter · · Score: 3

    John Copeland has 42 patents on things as obvious as "Functionally Static Type Semiconductor Shift Register with Half Dynamic-Half Static Stages" and "Magnetic Bubble Enhanced Propagation Pulse Write for Lateral Displacement Coding". I'm all for patents and all, but not for obvious ones like these. This is as bad as Amazon! I think we should boycott him!

  6. Apple's Statement by waldoj · · Score: 5

    http://discuss.info.apple.com/boards/macos.nsf/424 f8fb007a848d1862564c60074f8f1/5B274CA6 954706958625685500635B28?OpenDocument

    "We have no official comment at this time.

    Remember, we have a policy of not discussing unannounced updates. Once I find out any further
    information, I will tell you what I can.

    For one thing, it smells like a hoax to me. First, there is already a product called "OT Tuner"
    from a third-party company (Sustainable Softworks), so we would be extremely unlikely to use
    this name. Second, we would never supply any kind of "patch" software to an outside party
    without making them sign a non-disclosure agreement. Third, most of the engineers were on
    holiday at the end of last week, and it is very unlikely a patch could have been developed and
    tested in such a short time without information going out internally within Apple (which hasn't
    happened).

    I'm not saying it is indeed a hoax, I'm just saying don't put a lot of validity to it until we know
    more.

    John Phelps
    Forum Leader - Apple Support Discussions"

  7. Wouldn't that be quite difficult by Asparfame · · Score: 3
    In order to perform a worthy DOS though, you would need to

    a) Have a very long list of Mac's running OS9

    b) Send out a lot of UPD packets

    In fact, you would have to send out as many packets as the attacked server will recieve. So basically, you have to have enough bandwidth to withstand your own DOS attack. Of course it does have the advantage of hiding your IP, but it sounds no more effective than "ping -f".

    --

    There's no reason for a sig here.

  8. Can we get more information by mangino · · Score: 3

    Maybe I'm completely missing something, but can't you just send it an ICMP ping request with a forged source address and have it send the response? This doesn't sound like anything special. Maybe if we could get some more information about the type of ICMP packet that is sent this could be helpful.

    So normally, you send an ICMP response request packet (a ping packet) to a machine and it responds to you. This is a pretty simple concept. The problem is that you flood the connection with your ping requests. I believe ping floods are normally caused when you get the machine to respond on a broadcast or multicast address. If the mac just responds with a ping response, this isn't a very important discovery.

    However, there are other kinds of ICMP (Internet Control Message Protocol) packets. Maybe this isn't a straight ping request or ping response flood. Unfortunately, there isn't more information provided about it. Can someone post more information?
    --
    Mike Mangino Consultant, Analysts International

    --
    Mike Mangino
    mmangino@acm.org
  9. Does this seem like a dumbass to anyone else? by CynicX32 · · Score: 3

    I mean, first the guy can't even properly spell OS 9 (there isn't a dash). Then he says that the attack can be easily perpetrated by people with root access to a large university system, as long as they can then erase all logs of their activity.

    Yup. Sounds easy as pie to me.

    Then there's some of his "proof", like the CERT email. From which he removes a paragraph with no indication what it used to say, and removes the PGP signature. It also merely talks about a completely different attack, and says "if we get time to look at this alleged OS 9 thing, we'll try."

    Just smells fishy to me.

    ryan

  10. Apple just released OT Tuner 1.0 by blukens · · Score: 3

    Guess it's not a hoax, and I have to give props to Apple for the quick response...

    http://asu.info.apple.com/swupdates.nsf/artnum/n 11559

    Description
    OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS)
    issues.

    To install, drag the OT Tuner 1.0 file to the System Folder (the tuner will be put in the extensions folder for you). Then restart your Macintosh.

  11. Here's the info... by plaidhat · · Score: 3

    The Mac Resource Page had the best coverage of this DoS attack, imho. They cover it a lot better and in more detail than I could, so instead of repeating their words, I'll just post a link to them here: http://www.macresource.com/. Apple did indeed release a patch today by the name of "Open Transport Tuner". You can find it at the Apple Software Library (http://asu.info.apple.com/) on the "Recent Changes" page.

  12. Copeland by Sloppy · · Score: 4

    He's just jealous that they ended up not naming their OS after him.


    ---
    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  13. not just a Mac OS 9 problem by frankie · · Score: 5

    I defer to a recently-received email from Geoff Duncan, technical editor of Tidbits.com:

    *****

    Date: Tue, 28 Dec 1999 13:06:31 -0800
    From: Geoff Duncan
    Subject: Re: Mac DoS Attack

    While the attack outlined by Copeland is feasible, it's worth noting the 1500-byte ICMP responses he describes are not isolated to Mac OS 9, and are more-or-less standard practice in a number of networking implementations, regardless of whether those are based on Mentat's STREAMS. Macs running Mac OS 9 are by no means the only systems which demonstrate this behavior; in fact, I can easily make a number of dedicated routers behave the same way. If I were a cracker intent on causing damage with this sort of attack, why would I bother to locate Macintoshes on DSL or cable modem networks when I can utilize the same behaviors in thousands of routers all over the Internet, each of which is presumably easy to locate and has reasonable (or excessive) amounts of bandwidth at its disposal?

    The amplification attack Copeland describes involved gaining root access to a box with a big pipe - probably something running a flavor of Linux, Unix, or NT - and creating home-make forged packets. There are a number of potentially devastating attacks that can be launched under those circumstances that have nothing to do with Macs. TidBITS has been treated to a small selection of these sorts of attacks for the last several weeks. Calling for Mac OS 9 computers to be patched or taken off the net is not going to solve the problem or eliminate the feasibility of the attack Copeland describes.

    Also, Copeland's speculation that the datagrams he detected are probes pursuant to Macintosh-specific News Year's Eve attacks are best described as unsubstantiated speculation. At worst, they might be described as irresponsible. I would hope any further coverage this report gains in the Macintosh press will be more objective than what's currently playing on the standard "rumor" sites.

    *****