Slashdot Mirror
Apple's Response to "Denial of Service"
carbondave writes "Apple has made an update for Open Transport and it is currently available for download at Apple's website.
Here is the contents of the read me that comes along with it.
OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS) issues.
" This is a follow-up to yesterday's coverage of OS9 machines being used in DoS attacks.
i guess the best hoaxes are the ones that companies release patches for?
Apple got it out about an hour after the slashdot post, very good compared to "other" software companies..
At Apples Website:
Description
OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS)
issues.
It appears that dling and intstalling the patch would prevent the Mac from being able to do a DOS. That function could come in useful someday... unless it closes a security hole in the Mac, why bother to get it. It simply limits the capabilities of the Mac (while running OS 9).
Hmmm... patches like this are somewhat useless unless:
A: The patch protects the Mac from getting attacked by a DOS.
B: People are stupid enough to dl them.
Am I missing something? This does not make sense why someone would want to prevent there computer from being able to do a DOS - most people want their computer to be safe from DOS - they don't care if it can do one or not.
Is it progress if a cannibal uses a fork?
From the Copeland FAQ:
you may be legally liable for making it possible for a cyber-terrorist to use your computer to attack someone else, if you do not apply the fix and still leave your Macintosh connected to the Internet.
Leaving an unpatched Mac connected to the internet is like giving a loaded gun to a monkey. Remember there is a "conspiracy to shut down Internet Connections."
But when, John!? When? Christ almighty tell us when this dreaded attack will take place!
Zero-hour is probably New Years Eve, EST.
Somebody's been sniffing the old Maser a bit much lately.
Seriously, it's great to see a commercial company actually respond to a serious software fault, rather than blame the user, the competitors, the media, or the small furry creatures from Alpha Centauri who have been helping with the debugging.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
100 bugs in the code,
100 bugs in the code,
Squash a bug, type "make all",
...
101 bugs in the code,
101 bugs in the code...
Sorry, I haven't woken up yet.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
It could be possible that Apple released their patch because they did not want to be held as responsible in case this was really put to use. They also could have released it in order to decrease network bandwidth use by the systems themselves (1500 bytes does add up after a while.)
US businesses that currently accept chip and PIN/signature
There is also a CERT advisory covering this and a few other DoS's (i.e. TFN2K). The CERT advisory is available at http://www.cer t.org/advisories/CA-99-17-denial-of-service-tools. html.
available at (816) 246 6160
I'll repeat a quote from mentat.com that I saw in yesterday's discussion:
MPS is the native STREAMS on Apple Mac OS, Novell NetWare, Wind River VxWorks,Hewlett-Packard HP-UX, IBM AIX, Digital UNIX, and other many leading computer and embedded operating systems.According to available info, MPS is where the Mac Attack exploit was found. What other systems will also amplify similar packet attacks?
Or, Apple could have released this patch to look good. PR is extremely important, especially in tech industries. When computer-illiterate people want answers to tech questions, they usually ask their "resident geek" - a kid who knows what he's talking about. If that kid reads Slashdot (as any self-respecting resident geek should), his answer to "Is Apple security-conscious?" will probably have a lot to do with the stories he sees here and elsewhere. Eventually, every software company in the world is going to figure out that if they look good to Slashdot, they'll be more successful. Hopefully, that will mean actual improvements in quality. So, yeah, maybe this is a Good Thing.
Apple is definitely to be commended here. I just hope that where MacOS 9 is deployed, the system owners will respond as quickly in updating their systems. I suspect the knowledgable network admins probably will. The earlier comment about liability scares the shit out of me but might be a good motivation.
Yes you missed something...
This dosn't stop the user [guy behind the keyboard] from doing a DoS... it dosn't even slow him down...
What this dose is prevents a third party [not the guy behind the keyboard] from using the Mac for a DoS.
So this DOSE close a security hole in the system.. it dosn't let them do anything sereous to the victom computer but it dose allow a script kidding to use a victoms Mac to mount an attack on an unsuspecting target
I don't actually exist.
It's not the same one, the "OT Tuner" that has been out for a while is configurable, this one isnt.
Maybe it's possible to use the old "OT Tuner" to remove the DoS problem too, not sure..
I did, with ResEdit...this is a very odd extension. The 'INIT' resource appears to contain just raw data instead of typical INIT code. There are also ASCII names of several Open Transport routines (presumably, the ones being patched). But why put this into an INIT which can be disabled via Extensions Manager? Why not do what they did with the Font Manager Update for 8.6; patch the Extensions Manager prefs so that this obviously important piece of software can't be disabled easily? The code should be similar to the FMU code, so it souldn't be that hard to implement. Either that, or set it up as a 'scri' file, so it can't even be seen by EM (although it would then load before OT does, so maybe that's not such a good idea).
Also, as of this morning, this was still not available via Mac OS 9's built-in Software Update. I hope we aren't expected to all know to go to Apple's site and download the patch ourselves....
I use Macs for work, Linux for education, and Windows for cardplaying.
I find any Slashdot coverage of DOS issues vaguely ironic, as the Slashdot effect is probably responsible for more DOS attacks on web servers than any other person/group/effect. It's especially funny because the targets of these attacks are supposedly sites of interest to the attackers. It's kind of like one of the web-defacement groups DOS-ing attrition.org, or something.
That's not to say that I'm going to stop participating in the daily massive distributed DOS attempts. No one ever said the Internet was a republic.
While I don't contest that ``looking good to /.'' is usually a good thing, I don't think the sheer act of pleasing the populace here is necessarily a winning situation in all cases. Let's face it, /.ers (myself included) don't always take the reasonable course.
Usually only Open Source-based products get patches that fast. Not only is Apple's Open Transport not Open Source, it's licensed from a third party to boot. Even though OT is pretty easy to tweak, it's still impressive that Apple did the Right Thing so fast.
I'm sure there were script kiddies out there hoping to exploit this particular hole - but I have my doubts about the "Y2K/black helicopters" scenario that the fellow who spotted this bug seems to believe is imminent...
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Many people should care if their Mac (or other computer) is able to do a DOS, especially when the feds knocks on their door because they are flooding a govt site.
Picturing it.... Haapless user is downloading a Quicktime... suddenly the download slows.. user thinks "oh the net is slowing down again" figuring the bandwith between her mac and the website is narrowing... A rather smart presumption for any user to make and Mac users (to spite myths) generally are smart...
But this isn't what is happening...
Instead some script kiddy is sending costum UDP requests to the victoms Mac to have the Mac send larg packets to old_pathetic_system.bigbrother.gov.
User chouses to make the most of it.. after all the user is FTPing the Quicktime for local playback.. Shure she could stream it directly using her Cable modem but she chouses to have it stored on her hard disk so he can view it at her lesure...
So now that everything is SO SLOW she picks up her stuff and heads over to Pizza hut and orders a nice x-larg pizza. Everything should be done by then.
She comes home [having stuffed herself with pizza] to find 3 government agentcys climbing over her appartment...
But the good news is.. sence she wasn't home and the script kiddy was going to keep it up for as long as the Mac was on-line they hunted down and cought the real attacker.
However that hasn't prevented anyone from smashing open the door to her appartment and screwing up her download...
Before she downloads the quicktime again however.. she makes a quick trip to Apples website to download the patch.. becouse she is after all.. a rather smart person... She just isn't a computer expert...
In the mean time she sues 3 government agentcys for damages to her place... sues the script kiddy for involving her in his pathetic sceams.. and watches her quicktime while munching pizza.
Oh yeah and she clues in a government waist advocacy group about old_pathetic_system.bigbrother.gov and they have it taken down only to be replace by new_pathetic_system.bigbrother.gov...
I don't actually exist.
...and you'd be right. I installed the patch on my iBook late last night. This morning, my wife dials in and TCP/IP doesn't work at all. I had to toss the patch extension to get things to work again. This is apparently a common problem; similar reports are on http://www.macintouch.com/. I expect a revised patch will be released soon...
I don't mind so much right now with a variable IP and dial-in networking, and I suppose that being behind an Airport will protect us when we're back home with the cable modem.
http://www.macintouch.com/macattack.html
for details.
-matt
---
Wha? TV & Movie Theme Songs? Oh yeah....
Among its readers' findings:
0 75
OT Tuner disables connections to the 'base station' for iBooks and other AirPort-compatible Macs, and makes TCP/IP connections via Timbuktu Pro impossible.
OS 9 users may already have a solution on their install CDs, a control panel called "TCP/IP Options" which is unsupported by Apple, but can disable the IP Path MTU Discovery feature that reportedly causes the 'Mac attack.' Apple has a Tech Info Library about TCP/IP Options: http://til.info.apple.com/techinfo.nsf/artnum/n21
Finally, a Mac network software guy said the problem is indeed related to OT using Mentat/TCP 3.5's new method of Automatic Path MTU Discovery. OT previously would set all outgoing datagrams as "Don't Fragment," though OT Tuner changes that. (whatever the hell that means.)
More is here at http://www.macintouch.com/macattack.html
J.
damned vulpine http://sb.drtwister.com/
Think how many UNIX boxes are rootable despite the best efforts of CERT and BugTraq, and these people are supposed to know better! You can thank incompetent and lazy sysadmins the next time your network is the victim of a distributed UDP/ICMP DoS attack. The tools to cause this kind of chaos are becoming more and more widespread (Trin00 and TFN on the UNIX side, and now this Mac-targeted tool), and if you thought Smurf attacks were bad, imagine something that's impossible to stop and just as untraceable rendering your network useless.
It's a pretty fucked-up situation. And it's not gonna get any better any time soon, I'm afraid.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
the file date created/modified is Mon, 12/27/99, 12:00AM.
I don't even like apples.
Pears are cool, though.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Ok, listen up people, I have a mac, I got the patch, and it didn't do anything but mess up my networking. There's a report over at macnn about a bunch of people who wrote in to macnn with the problems they had and how they went away once they disabled the patch. Same thing happened to me.
I admit that it IS impressive that apple got that patch up so damn fast (like a few hours after the slashdot post), but something is screwy with it. Hopefully 1.1 will come out soon (it was 1.0).
Anyways, so if you have a mac, dont install it. You'll have problems.
Joseph?
From what I was reading about this, they were claiming that a (roughly) 40 byte ICMP query could generate a 1500 byte response creating a multiplier of about 38x.
I though that the standard ethernet frame size was 1500, and that would effectively make that a 1 to 1 DOS attack. (That is, the multiplier is meaningless because the packets aren't bundled within a frame).
What am I missing? Can you package multiple packets within a frame? Is that a MAC, ICMP, IP, or TCP convention?
Thanks!
Pax -- Ob
OK.. if you had done your homework here, and looked throught the posts, it seems that everyone who is having this sort of problem is behind thir own firewall (or NAT system), and is therefore totally imune to this form of attack, and, if they had actually read the read-me, were not even told to install this.
Apple is putting out this patch, and recomending it only to people with dedicated internet connections (large-LAN or CableModemm custiomers), not to people with AirPort, or other Modems... I do agree that it should not affet these customers, but what do you expect for shoot-from-the-hip solution. If you are not affected, take the extension out of your system folder, and forget about it... when 9.1 comes out, this will be completely taken care of...
...years ago that it's Apple's policy to first release a patch as an extension or plug-in, or whatever. Then, when it's sure it does what it is supposed to do, it'll be integrated or patched into the system files completely. Whether or not this DOS is serious, Apple released the extension very quickly. I suppose they didn't have time to patch the whole OT extension set and check for anomalities. I bet the patch will be fully integrated into the coming MacOS 9.1.
i installed it cuz i have a cable modem, and os9. i have taken it out of my system folder, cuz a) i realized i dont really care about the issue and b) it was messing shit up.
i was just telling people what i had discovered myself and from other reports at macnn..
Joseph?
this smart mac user you are describing seems to be Laura Croft?
Hehe.. a 3D first person shooter carricter is a Mac user? I kinda presummed she was a Play station coder...
Accually no.. It's sort of a composit of two Mac geeketts I know..
A Web Deva and a Unix deva
The Web Deva edits web pages on the Mac (Note pad and kick butt graphics editing)...
The Unix deva turns old Macs into Unix servers.. she needs only one Mac but has no end of need for Unix servers and finds herself allways upgrading her Mac.
I don't actually exist.