Apple's Response to "Denial of Service"

carbondave writes "Apple has made an update for Open Transport and it is currently available for download at Apple's website. Here is the contents of the read me that comes along with it. OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS) issues. " This is a follow-up to yesterday's coverage of OS9 machines being used in DoS attacks.

Quick response.

[_GNU_]

Apple got it out about an hour after the slashdot post, very good compared to "other" software companies..

Patch Early and Often

[A+Big+Gnu+Thrush]

From the Copeland FAQ:

you may be legally liable for making it possible for a cyber-terrorist to use your computer to attack someone else, if you do not apply the fix and still leave your Macintosh connected to the Internet.

Leaving an unpatched Mac connected to the internet is like giving a loaded gun to a monkey. Remember there is a "conspiracy to shut down Internet Connections."

But when, John!? When? Christ almighty tell us when this dreaded attack will take place!

Zero-hour is probably New Years Eve, EST.

Somebody's been sniffing the old Maser a bit much lately.

Some ideas for Apple...

[jd]

• Run a global "Apple Network Stack Upgrade Compliance Test", to see which users have upgraded, on December 31st, at 23:59:59
• Modify the super-huge ICMP packet to only affect Winsock 2.0 systems
• Turn it into a promotion gimic ("Our Packets Are Bigger!")
• Sell Apples as Network Stress-Testing Tools
• Point out the cost-savings ("Crackers costing you millions? Buy Apple and DoS your own network for free!")

Seriously, it's great to see a commercial company actually respond to a serious software fault, rather than blame the user, the competitors, the media, or the small furry creatures from Alpha Centauri who have been helping with the debugging.

Maybe this is a Good Thing

[mind21_98]

It could be possible that Apple released their patch because they did not want to be held as responsible in case this was really put to use. They also could have released it in order to decrease network bandwidth use by the systems themselves (1500 bytes does add up after a while.)

CERT advisory available

[Zigg]

There is also a CERT advisory covering this and a few other DoS's (i.e. TFN2K). The CERT advisory is available at http://www.cer t.org/advisories/CA-99-17-denial-of-service-tools. html.

who else is vulnerable?

[frankie]

I'll repeat a quote from mentat.com that I saw in yesterday's discussion:

MPS is the native STREAMS on Apple Mac OS, Novell NetWare, Wind River VxWorks,Hewlett-Packard HP-UX, IBM AIX, Digital UNIX, and other many leading computer and embedded operating systems.

According to available info, MPS is where the Mac Attack exploit was found. What other systems will also amplify similar packet attacks?

Re:Why Download?

[netpuppy]

That's exactly the stupid-ass attitude that makes it possible to run smurf attacks against people, still ...

"why should I turn off directed broadcast?? What difference does it make if my network is used to destroy someone else's connectivity?"

Shit, I'll tell you why you should apply the patch. Eventually, ISPs are just going to blackhole the networks that source denial of service attacks, because eventually it is your responsibility for being vulnerable, rather than the attacker's responsibility for exploiting you.

Purchase clue.

Re:no, that was our opinion *yesterday*

[Zigg]

I would wager by the fact that it's been confirmed by Apple labs and is detailed in a PGP-signed CERT advisory that you can stop calling it a hoax now.

Normally people do things like prove that vulnerabilities do not exist (by testing or by intimate knowledge of the way a system is designed) before calling them hoaxes. Since I had no access to MacOS 9, and no verifiable sources were saying that it was a hoax, I was definitely not going to propagate that rumor.

Security problems are real. Let's help them get solved instead of shooting off our mouths.

Re:Why Download?

[Battra]

Well, for one thing applying the patch does protect you against the DoS. Remember that this attact is something like a combination of a Smurf and a Ping of Death attack. The ICMP response that the Mac OS 9 machine generates is 1499 bytes of payload. Add any sort of headers and this thing is bigger than the MTU of a standard ethernet frame.

So if you wanted to use this to really cramp the style of someone with a spiffy new G4, you would send the request packet and forge the source address to be the victim's own address. Even better, set the source address to be the broadcast address on the victim's LAN.

I suspect this could cause some serious havoc in a lab full of iMacs. Even worse, the new iBooks now ship with Mac OS 9. I hate to think what this kind of DoS could do to a large wireless LAN.

Just download the patch. Think of it as just one more extension in a bloated system folder. And just think, with OS X client, you won't have to fool around with extensions anymore.

But will the system owners respond as quickly?

[Zigg]

Apple is definitely to be commended here. I just hope that where MacOS 9 is deployed, the system owners will respond as quickly in updating their systems. I suspect the knowledgable network admins probably will. The earlier comment about liability scares the shit out of me but might be a good motivation.

Re:Why Download?

[netpuppy]

Sorry I was a little harsh. It gets real nasty when you have to chase a DOS attack all over your backbone trying to find out where it is coming from .... plug one hole, open up another. It is a touchy subject.

The smurf problem illustrates nicely ... there is one line on a Cisco that fixes smurfs entirely. Go to the console, configure ethernet interfaces, and type "no ip directed-broadcast", and smurfs are no longer capable of being amplified from your network. If you search the 'net, however, you can find lists of networks which haven't taken the simplest measures to protect others from their misconfigurations.

The distributed network attacks are a new danger. Rather than protecting others from DOS by securing your network border, now you have to secure each internet accessible machine in order to avoid being used as an attack platform. This seems to me to require much more attention from users, rather than network admins, and so it is very necessary that people understand what their lack of a patch can do to someone else. It is really an issue of education, and the education is severely lacking.

Cheers.

Re:Why Download?

[Zigg]

Eventually, ISPs are just going to blackhole the networks that source denial of service attacks, because eventually it is your responsibility for being vulnerable, rather than the attacker's responsibility for exploiting you.

IIRC, haven't initiatives to blackhole smurf amplifiers been around for awhile? I think the threats certainly got a lot done; but an ISP, unless they are having serious troubles, has to contend with their stupid user base first complaining about not being able to access such-and-such a site.

The same problem exists (regrettably) with spam. I would LOVE it if ISPs everywhere could run MAPS on their servers, but they just can't, because the stupid user base would scream bloody murder, not understanding the implications. Any kind of filtering, no matter how intelligent, is going to block legitimate mail as well.

Anybody open the patch yet?

[imac.usr]

I did, with ResEdit...this is a very odd extension. The 'INIT' resource appears to contain just raw data instead of typical INIT code. There are also ASCII names of several Open Transport routines (presumably, the ones being patched). But why put this into an INIT which can be disabled via Extensions Manager? Why not do what they did with the Font Manager Update for 8.6; patch the Extensions Manager prefs so that this obviously important piece of software can't be disabled easily? The code should be similar to the FMU code, so it souldn't be that hard to implement. Either that, or set it up as a 'scri' file, so it can't even be seen by EM (although it would then load before OT does, so maybe that's not such a good idea).

Also, as of this morning, this was still not available via Mac OS 9's built-in Software Update. I hope we aren't expected to all know to go to Apple's site and download the patch ourselves....

Most consistent DOS perpetrator: Slashdot

[DonFreenut]

I find any Slashdot coverage of DOS issues vaguely ironic, as the Slashdot effect is probably responsible for more DOS attacks on web servers than any other person/group/effect. It's especially funny because the targets of these attacks are supposedly sites of interest to the attackers. It's kind of like one of the web-defacement groups DOS-ing attrition.org, or something.

That's not to say that I'm going to stop participating in the daily massive distributed DOS attempts. No one ever said the Internet was a republic.

Looking good to /.

[Zigg]

Eventually, every software company in the world is going to figure out that if they look good to Slashdot, they'll be more successful.

While I don't contest that ``looking good to /.'' is usually a good thing, I don't think the sheer act of pleasing the populace here is necessarily a winning situation in all cases. Let's face it, /.ers (myself included) don't always take the reasonable course.

Two points for Apple!

[jht]

Usually only Open Source-based products get patches that fast. Not only is Apple's Open Transport not Open Source, it's licensed from a third party to boot. Even though OT is pretty easy to tweak, it's still impressive that Apple did the Right Thing so fast.

I'm sure there were script kiddies out there hoping to exploit this particular hole - but I have my doubts about the "Y2K/black helicopters" scenario that the fellow who spotted this bug seems to believe is imminent...

- -Josh Turiel

Re:Why Download?

[netpuppy]

Yeah, I have blackholed selected IPs, but only for short times under extreme circumstances. The idea of a real blackhole, where you have to remedy the problem before you are let back in the routing tables, hasn't caught on yet. :(

Perhaps the distributed DOS trend will help generate the need for some kind of structured blackhole process by which the offending network/user can be informed, and the blackhole reversed when security problems are fixed.

Re:OT Tuner Patch not ready for primetime?

[_GNU_]

no probs on any mac I've installed it on, no airport though...

Well, if the network is behind a firewall (which most Airport networks are), the patch isnt needed.

Macintouch has "Mac Attack" section

[J.+FoxGlov]

Among its readers' findings:

OT Tuner disables connections to the 'base station' for iBooks and other AirPort-compatible Macs, and makes TCP/IP connections via Timbuktu Pro impossible.

OS 9 users may already have a solution on their install CDs, a control panel called "TCP/IP Options" which is unsupported by Apple, but can disable the IP Path MTU Discovery feature that reportedly causes the 'Mac attack.' Apple has a Tech Info Library about TCP/IP Options: http://til.info.apple.com/techinfo.nsf/artnum/n210 75

Finally, a Mac network software guy said the problem is indeed related to OT using Mentat/TCP 3.5's new method of Automatic Path MTU Discovery. OT previously would set all outgoing datagrams as "Don't Fragment," though OT Tuner changes that. (whatever the hell that means.)

More is here at http://www.macintouch.com/macattack.html

J.

6 out of 10 Windows users are still winnukable..

[Wakko+Warner]

..or otherwise crashable using one of the myriad tools available to decimate the Microsoft Windows TCP/IP stack. I have a shell script that I experiment with that runs everything in my "arsenal" when someone tries messing with my machines on the internet. It's successful more than half the time. The simple fact of the matter is that most people don't pay enough attention to the security and integrity updates that OS makers release constantly.

Think how many UNIX boxes are rootable despite the best efforts of CERT and BugTraq, and these people are supposed to know better! You can thank incompetent and lazy sysadmins the next time your network is the victim of a distributed UDP/ICMP DoS attack. The tools to cause this kind of chaos are becoming more and more widespread (Trin00 and TFN on the UNIX side, and now this Mac-targeted tool), and if you thought Smurf attacks were bad, imagine something that's impossible to stop and just as untraceable rendering your network useless.

It's a pretty fucked-up situation. And it's not gonna get any better any time soon, I'm afraid.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:Why Download?

[rthille]

Actually, if you check Apple's download page, it says that you should install the software if you've got an iBook running 8.6. That's because they included the MacOS-9 version (or at least a succeptable version) of OT (2.5.2, I think) on the iBook and some later iMacs that didn't get MacOS-9

My wife's iBook has the problem, though it's hidden behind NAT, so it's not an issue.

something interesting:

[crayz]

the file date created/modified is Mon, 12/27/99, 12:00AM.