Slashdot Mirror
Apple's Response to "Denial of Service"
carbondave writes "Apple has made an update for Open Transport and it is currently available for download at Apple's website.
Here is the contents of the read me that comes along with it.
OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS) issues.
" This is a follow-up to yesterday's coverage of OS9 machines being used in DoS attacks.
i guess the best hoaxes are the ones that companies release patches for?
Apple got it out about an hour after the slashdot post, very good compared to "other" software companies..
At Apples Website:
Description
OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS)
issues.
It appears that dling and intstalling the patch would prevent the Mac from being able to do a DOS. That function could come in useful someday... unless it closes a security hole in the Mac, why bother to get it. It simply limits the capabilities of the Mac (while running OS 9).
Hmmm... patches like this are somewhat useless unless:
A: The patch protects the Mac from getting attacked by a DOS.
B: People are stupid enough to dl them.
Am I missing something? This does not make sense why someone would want to prevent there computer from being able to do a DOS - most people want their computer to be safe from DOS - they don't care if it can do one or not.
Is it progress if a cannibal uses a fork?
From the Copeland FAQ:
you may be legally liable for making it possible for a cyber-terrorist to use your computer to attack someone else, if you do not apply the fix and still leave your Macintosh connected to the Internet.
Leaving an unpatched Mac connected to the internet is like giving a loaded gun to a monkey. Remember there is a "conspiracy to shut down Internet Connections."
But when, John!? When? Christ almighty tell us when this dreaded attack will take place!
Zero-hour is probably New Years Eve, EST.
Somebody's been sniffing the old Maser a bit much lately.
Seriously, it's great to see a commercial company actually respond to a serious software fault, rather than blame the user, the competitors, the media, or the small furry creatures from Alpha Centauri who have been helping with the debugging.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
100 bugs in the code,
100 bugs in the code,
Squash a bug, type "make all",
...
101 bugs in the code,
101 bugs in the code...
Sorry, I haven't woken up yet.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
It could be possible that Apple released their patch because they did not want to be held as responsible in case this was really put to use. They also could have released it in order to decrease network bandwidth use by the systems themselves (1500 bytes does add up after a while.)
US businesses that currently accept chip and PIN/signature
There is also a CERT advisory covering this and a few other DoS's (i.e. TFN2K). The CERT advisory is available at http://www.cer t.org/advisories/CA-99-17-denial-of-service-tools. html.
available at (816) 246 6160
I'll repeat a quote from mentat.com that I saw in yesterday's discussion:
MPS is the native STREAMS on Apple Mac OS, Novell NetWare, Wind River VxWorks,Hewlett-Packard HP-UX, IBM AIX, Digital UNIX, and other many leading computer and embedded operating systems.According to available info, MPS is where the Mac Attack exploit was found. What other systems will also amplify similar packet attacks?
Or, Apple could have released this patch to look good. PR is extremely important, especially in tech industries. When computer-illiterate people want answers to tech questions, they usually ask their "resident geek" - a kid who knows what he's talking about. If that kid reads Slashdot (as any self-respecting resident geek should), his answer to "Is Apple security-conscious?" will probably have a lot to do with the stories he sees here and elsewhere. Eventually, every software company in the world is going to figure out that if they look good to Slashdot, they'll be more successful. Hopefully, that will mean actual improvements in quality. So, yeah, maybe this is a Good Thing.
Apple is definitely to be commended here. I just hope that where MacOS 9 is deployed, the system owners will respond as quickly in updating their systems. I suspect the knowledgable network admins probably will. The earlier comment about liability scares the shit out of me but might be a good motivation.
I won't belive it when I see it... it now takes even more for me to belive something... I wouldn't be surprised to find that the "patch" doesn't work... or that it does more than fix the problem.
Why bother to get it? Because your Mac can be used to flood a network. The patch prevents the Mac from doing something it should not... replying with a 1500 size packet in response to a 29 byte packet. It in NO WAY limits the capabilities of OS9 (or 8.6). Why dont you read all of the relevant infomation on this!
Am I missing something?
YES!
This does not make sense why someone would want to prevent there computer from being able to do a DOS - most people want their computer to be safe from DOS - they don't care if it can do one or not.
Try this, does it make sense for linux to respond with a 1500 icmp byte packet in response to a 29 byte (UDP?) query? I think the internet would be at a crawl as we speak. The fact of the matter is, the Mac was doing something that it does not need to be doing. Mac OS only does this on certain versions. The bug was not there before these certain versions. Macs have operated on the internet with previous versions of the MacOS... and do not do this.
Many people should care if their Mac (or other computer) is able to do a DOS, especially when the feds knocks on their door because they are flooding a govt site.
Yes you missed something...
This dosn't stop the user [guy behind the keyboard] from doing a DoS... it dosn't even slow him down...
What this dose is prevents a third party [not the guy behind the keyboard] from using the Mac for a DoS.
So this DOSE close a security hole in the system.. it dosn't let them do anything sereous to the victom computer but it dose allow a script kidding to use a victoms Mac to mount an attack on an unsuspecting target
I don't actually exist.
I seem to recall that I had an OT Tuner extension on my Mac several years ago. Boosted performance a touch when I was on ethernet. I've since gotten a new computer, so I can't check to see if its they are identical or not.
Anyone know if its the same one?
Tom
I did, with ResEdit...this is a very odd extension. The 'INIT' resource appears to contain just raw data instead of typical INIT code. There are also ASCII names of several Open Transport routines (presumably, the ones being patched). But why put this into an INIT which can be disabled via Extensions Manager? Why not do what they did with the Font Manager Update for 8.6; patch the Extensions Manager prefs so that this obviously important piece of software can't be disabled easily? The code should be similar to the FMU code, so it souldn't be that hard to implement. Either that, or set it up as a 'scri' file, so it can't even be seen by EM (although it would then load before OT does, so maybe that's not such a good idea).
Also, as of this morning, this was still not available via Mac OS 9's built-in Software Update. I hope we aren't expected to all know to go to Apple's site and download the patch ourselves....
I use Macs for work, Linux for education, and Windows for cardplaying.
I find any Slashdot coverage of DOS issues vaguely ironic, as the Slashdot effect is probably responsible for more DOS attacks on web servers than any other person/group/effect. It's especially funny because the targets of these attacks are supposedly sites of interest to the attackers. It's kind of like one of the web-defacement groups DOS-ing attrition.org, or something.
That's not to say that I'm going to stop participating in the daily massive distributed DOS attempts. No one ever said the Internet was a republic.
While I don't contest that ``looking good to /.'' is usually a good thing, I don't think the sheer act of pleasing the populace here is necessarily a winning situation in all cases. Let's face it, /.ers (myself included) don't always take the reasonable course.
Usually only Open Source-based products get patches that fast. Not only is Apple's Open Transport not Open Source, it's licensed from a third party to boot. Even though OT is pretty easy to tweak, it's still impressive that Apple did the Right Thing so fast.
I'm sure there were script kiddies out there hoping to exploit this particular hole - but I have my doubts about the "Y2K/black helicopters" scenario that the fellow who spotted this bug seems to believe is imminent...
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
C'mon guys. Are you also going to post every bug in NT, Solaris, Linux, BSD and whatever OS on Slashdot? This is bugtraq material, and not really interesting for slashdot readers.
http://www.macintouch.com/macattack.html
for details.
-matt
---
Wha? TV & Movie Theme Songs? Oh yeah....
Among its readers' findings:
0 75
OT Tuner disables connections to the 'base station' for iBooks and other AirPort-compatible Macs, and makes TCP/IP connections via Timbuktu Pro impossible.
OS 9 users may already have a solution on their install CDs, a control panel called "TCP/IP Options" which is unsupported by Apple, but can disable the IP Path MTU Discovery feature that reportedly causes the 'Mac attack.' Apple has a Tech Info Library about TCP/IP Options: http://til.info.apple.com/techinfo.nsf/artnum/n21
Finally, a Mac network software guy said the problem is indeed related to OT using Mentat/TCP 3.5's new method of Automatic Path MTU Discovery. OT previously would set all outgoing datagrams as "Don't Fragment," though OT Tuner changes that. (whatever the hell that means.)
More is here at http://www.macintouch.com/macattack.html
J.
damned vulpine http://sb.drtwister.com/
Think how many UNIX boxes are rootable despite the best efforts of CERT and BugTraq, and these people are supposed to know better! You can thank incompetent and lazy sysadmins the next time your network is the victim of a distributed UDP/ICMP DoS attack. The tools to cause this kind of chaos are becoming more and more widespread (Trin00 and TFN on the UNIX side, and now this Mac-targeted tool), and if you thought Smurf attacks were bad, imagine something that's impossible to stop and just as untraceable rendering your network useless.
It's a pretty fucked-up situation. And it's not gonna get any better any time soon, I'm afraid.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
the file date created/modified is Mon, 12/27/99, 12:00AM.
I don't even like apples.
Pears are cool, though.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Ok, listen up people, I have a mac, I got the patch, and it didn't do anything but mess up my networking. There's a report over at macnn about a bunch of people who wrote in to macnn with the problems they had and how they went away once they disabled the patch. Same thing happened to me.
I admit that it IS impressive that apple got that patch up so damn fast (like a few hours after the slashdot post), but something is screwy with it. Hopefully 1.1 will come out soon (it was 1.0).
Anyways, so if you have a mac, dont install it. You'll have problems.
Joseph?
From what I was reading about this, they were claiming that a (roughly) 40 byte ICMP query could generate a 1500 byte response creating a multiplier of about 38x.
I though that the standard ethernet frame size was 1500, and that would effectively make that a 1 to 1 DOS attack. (That is, the multiplier is meaningless because the packets aren't bundled within a frame).
What am I missing? Can you package multiple packets within a frame? Is that a MAC, ICMP, IP, or TCP convention?
Thanks!
Pax -- Ob
OK.. if you had done your homework here, and looked throught the posts, it seems that everyone who is having this sort of problem is behind thir own firewall (or NAT system), and is therefore totally imune to this form of attack, and, if they had actually read the read-me, were not even told to install this.
Apple is putting out this patch, and recomending it only to people with dedicated internet connections (large-LAN or CableModemm custiomers), not to people with AirPort, or other Modems... I do agree that it should not affet these customers, but what do you expect for shoot-from-the-hip solution. If you are not affected, take the extension out of your system folder, and forget about it... when 9.1 comes out, this will be completely taken care of...
What's even more hilarious about this is that the feature in Mac OS 9 that causes this DOS attack has actually been patented by Apple:
P TO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/sr chnum.htm&r=1&f=G&l=50&s1='5931961'.WKU.&OS=PN/593 1961&RS=PN/5931961
http://164.195.100.11/netacgi/nph-Parser?Sect1=
Note that Linux also does path MTU discovery without this bug. The Apple technique was chosen because it allows Mac OS to do the same thing even when talking to sites behind misconfigured firewalls. The Linux people occasionally get e-mail like "My Linux box can't connect to this on-line bank" and the response from the kernel hackers is "Tell your bank to fix its firewall".
Other than the fact it encourages sites to not fix their improperly set up firewalls, the Apple solution is probably a bad idea-- it results in not only the DOS attack, but also increased latency and superfluous traffic.
...years ago that it's Apple's policy to first release a patch as an extension or plug-in, or whatever. Then, when it's sure it does what it is supposed to do, it'll be integrated or patched into the system files completely. Whether or not this DOS is serious, Apple released the extension very quickly. I suppose they didn't have time to patch the whole OT extension set and check for anomalities. I bet the patch will be fully integrated into the coming MacOS 9.1.
i installed it cuz i have a cable modem, and os9. i have taken it out of my system folder, cuz a) i realized i dont really care about the issue and b) it was messing shit up.
i was just telling people what i had discovered myself and from other reports at macnn..
Joseph?
Ok you Apple bashing trolls, try this on for size. A few days ago, it was discovered that OT had a bug in it that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS)issues. Within a few days, this bug was fixed and a patch is posted. Lets see M$ do this. Can we month long bug fix updates?