Slashdot Mirror
Mac OS9 Flood Attack
Yoel Inbar writes "John Copeland, a professor at Georgia Tech, has discovered the possibility of using Macs running OS 9 as a distributed DOS tool. Basically, by sending a Mac running OS 9 a custom UDP packet, you can get it to reply with a 1500 byte ICMP packet(these packets are normally sent as part of MTU discovery). Send these UDP packets to a bunch of Macs, spoof the source addresses....voila, instant DOS.
Apparently this is "in the wild"; he reports several scans designed to elicit these packets. "
apparently included in the ms investment, ms gave apple "some really good tcp/ip stack programmers."
US Citizen living abroad? Register to vote!
http://discuss.info.apple.com/boards/macos.nsf/424 f8fb007a848d1862564c60074f8f1/5B274CA6 954706958625685500635B28?OpenDocument
"We have no official comment at this time.
Remember, we have a policy of not discussing unannounced updates. Once I find out any further
information, I will tell you what I can.
For one thing, it smells like a hoax to me. First, there is already a product called "OT Tuner"
from a third-party company (Sustainable Softworks), so we would be extremely unlikely to use
this name. Second, we would never supply any kind of "patch" software to an outside party
without making them sign a non-disclosure agreement. Third, most of the engineers were on
holiday at the end of last week, and it is very unlikely a patch could have been developed and
tested in such a short time without information going out internally within Apple (which hasn't
happened).
I'm not saying it is indeed a hoax, I'm just saying don't put a lot of validity to it until we know
more.
John Phelps
Forum Leader - Apple Support Discussions"
I defer to a recently-received email from Geoff Duncan, technical editor of Tidbits.com:
*****
Date: Tue, 28 Dec 1999 13:06:31 -0800
From: Geoff Duncan
Subject: Re: Mac DoS Attack
While the attack outlined by Copeland is feasible, it's worth noting the 1500-byte ICMP responses he describes are not isolated to Mac OS 9, and are more-or-less standard practice in a number of networking implementations, regardless of whether those are based on Mentat's STREAMS. Macs running Mac OS 9 are by no means the only systems which demonstrate this behavior; in fact, I can easily make a number of dedicated routers behave the same way. If I were a cracker intent on causing damage with this sort of attack, why would I bother to locate Macintoshes on DSL or cable modem networks when I can utilize the same behaviors in thousands of routers all over the Internet, each of which is presumably easy to locate and has reasonable (or excessive) amounts of bandwidth at its disposal?
The amplification attack Copeland describes involved gaining root access to a box with a big pipe - probably something running a flavor of Linux, Unix, or NT - and creating home-make forged packets. There are a number of potentially devastating attacks that can be launched under those circumstances that have nothing to do with Macs. TidBITS has been treated to a small selection of these sorts of attacks for the last several weeks. Calling for Mac OS 9 computers to be patched or taken off the net is not going to solve the problem or eliminate the feasibility of the attack Copeland describes.
Also, Copeland's speculation that the datagrams he detected are probes pursuant to Macintosh-specific News Year's Eve attacks are best described as unsubstantiated speculation. At worst, they might be described as irresponsible. I would hope any further coverage this report gains in the Macintosh press will be more objective than what's currently playing on the standard "rumor" sites.
*****