New Denial-of-Service Attack Is a Killer 341
ancientribe writes "Hacker RSnake blogs about a newly discovered and deadly denial-of-service attack that could well be the next big threat to the Internet as a whole. It goes after a broadband Internet connection and KOs machines on the other end such that they stay offline even after the attack is over. It spans various systems, too: the pair of Swedish researchers who found it have already contacted firewall, operating system, and Web-enabled device vendors whose products are vulnerable to this attack." Listen to the interview (MP3) — English starts a few minutes in — and you might find yourself convinced that we have a problem. The researchers claim that they have been able to take down every system with a TCP/IP stack that they have attempted; and they know of no fix or workaround.
fearmongering (Score:5, Insightful)
Transcript (Score:5, Insightful)
Do people really have time to listen to podcasts unless they are commuting?
Is there a transcript???
this is not news... it's a reach around... (Score:1, Insightful)
FTFA... "Robert and Jack are smart dudes"
yep ... and i'm scared now cuz the smart dudes told us the sky is falling, but don't ask why, they are working with the "vendors" in secret. which must be a lot since this affects every tcp/ip stack in existence.
who is jacking off who here?
Re:fearmongering (Score:5, Insightful)
Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot. The author has known them for years from (presumably) T-Ball league. How can you argue with that?
(this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)
Re:Go for it, take on my machine! (Score:5, Insightful)
Power grids? (Score:3, Insightful)
Re:Go for it, take on my machine! (Score:5, Insightful)
Of course Linux is not a magical shield. But having a diverse eco-system is known to protect against many attacks.
One of the reasons stories about how the banana is going extinct come up every few years is because the "modern" banana that most people in the over developed world can buy, are all clones! One disease can attack all the plants in the same manner.
In the same way, computers that have the same OS tend to be vulnerable to the same attack. Because there are a lot more OSs based around Linux (and BSD), people running these OSs are less vulnerable, because they are in a diverse eco-system. Especially when these kernels and the user-land tools are FLOSS.
As such, yes, it maybe a generic vulnerability in the TCP spec. (though how likely is that?), however, it is not specified, which is why I asked if it did affect *nix.
If nothing else, due to the nature of FLOSS, the attack could quickly be coded around as soon as it is known, and then pushed out to many many people running auto-update systems (such as Debian, Ubuntu and similar). (Even if that breaks the spec.)
Re:fearmongering (Score:5, Insightful)
Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot.
Seriously....just saying "Yeah, these two dudes I know can break the whole Internet. Trust me. I've known them a long time." is just completely lame and useless.
The article is nothing more than fear mongering and fudfudfud (please tag appropriately). Unless there's something to the interview beyond "I know how to break the Interwebs!!!", I'm from Missouri on this one.
The sky is falling! (Score:4, Insightful)
Quickly, go yank the cable/dsl connection right out of the wall before its too late!
Come on... I'm not going to listen to mp3, but the /. summary and the article both are dangerously low on details. This effects every machine with a TCP/IP stack? IPv4 and IPv6? Leaves the machines in a permanent state of DOS? There's no prevention? No fix? And you can't even test it because it might take down "other devices between here and there"?
Pardon me, I'm off to find myself a huge grain of salt.
Re:They might have missed a small detail (Score:2, Insightful)
It reaches you in that no one else can see you on the Internet. If all routes are down, you can't communicate. Done, denial of service at its best, even if no packet ever reaches your interface.
That, still assuming that all of this is true.
the cutoff jokes are just old (Score:1, Insightful)
Every time there's a story about a connection dying or a machine crashing we see a flood of posts that end lik
It was funny _once_. Maybe. Be more creative. I'm trying to waste my day at work reading /. so could you people make up some new ones? And I'm not going to even delve into the fact that thanks to the ways posting content to a website works the failure wouldn't look remotely like this... we're not all on modems connecting to a BBS.
Let's give them the benifit of the doubt (Score:2, Insightful)
Let's assume that they have actually discovered this industry sweeping exploit.
So they went and contacted the vendors like good white hats. Now, if their intent was in being contributers to the greater good of security they would stop at this level of correspondence and work with the companies until the problem is fixed.
However, they released this article to inform the public. Normally when someone does this it is with the intension of providing the public with the knowledge, tools, or rallying them activism towards the end of making the upstream change things. This article does not constructively inform in this way and does not give the end user something to throw upstream. Then what is this article accomplishing?
The fact that we are discussing this and that we have, theoretically, RTFA implies that we have exposed ourselves to their names, tools, and services. It also, loosely implies a need for their services and their "skill." Quotations are entered around "skill" as I the reader have no way of actually confirming their skill because of the lack of real material to observe. From this perspective, I am tempted to conclude that this article serves as little more then an advertisement for their services and a cry for attention.
What then, you may ask. Do I suggest that they leak "dangerous" information and risk their horror story becoming reality? No; rather I propose that if their intentions were really to protect the Internet, they should have stopped the discussion of their research from the immediate parties involved.
I do not necessarily advocate any of these stances as this analysis is meant to be normative.
Re:More scares, AND A TEMPORARY FIX! (Score:3, Insightful)
Simple: put that line before your network cards are initialised. That's rc.inet1 in Slackware, YMMV elsewhere.
Re:Pfffft (Score:1, Insightful)
Metamoderate -1 clueless. Whoosh!
Too many Microsoft fanboy moderators ...
Something strange... (Score:4, Insightful)
It sounds like a blind resource consumption attack against SYN-cookie implementations, no? (Without SYN-cookies, the attack is trivial, just spoof SYNs).
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html [techtarget.com]
SYN-cookies are a simple idea. Upon receiving a SYN, rather than creating all the state, the server returns a SYN/ACK with the SEQ value = H(IP,ACK value). Thus when it sees the ACK packet it can check that the value is returned, and then create all the state.
If this is the case, it seems to require that a SYN-cookie be predictible, that the attacker can probe a client to predict what H(IP,ACK value) is. IF that is the case then there is an easy fix: simply use more and better random data as salt in a better hash function.
Simply because ANY blind resource consumption attack against a SYN-cookie server requires knowing what the SEQ value from the server for the SYN/ACK in order to establish a connection by sending the proper ACK (and then some data to load the server further).
If the attacker can't predict the SYN/ACK's SEQ value, it can't construct a proper ACK and cause the server to consume resources.
Re:fearmongering (Score:3, Insightful)
Please correct me if I am wrong, but I don't see how this cannot be fixed. Another super-scary (and warrantless) slashdot headline and summary IMHO.
Re:Pfffft (Score:1, Insightful)
> ...move up to Windows 3.1. That is where it is at.
Nah. Try O/S 2 Warp instead. You'll be glad you did.
Re:Pfffft (Score:3, Insightful)
Could it be that you're talking about MS Windows 3.1 instead of Windows NT 3.1 that the parent seems to be talking about? Because NT 3.x was a completely different beast from regular Win 3.1.
/Mikael
Re:fearmongering (Score:5, Insightful)
(this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)
Yes, limiting the possibilities to comment is clearly a bad idea. /. summaries have always been quite bad for as long I can remember it, but all the informational value is in the comments. Where else can you see a fearmongering article, people making some obvious remarks, getting insightful retorts to finally end on a +5 comment coming from a guy working in the lab TFA mentions ?
Slashdot, don't fear posters. Your moderation system filters spam (and as*holeness) with enough efficiency, don't add nagging features !
Re:Go for it, take on my machine! (Score:3, Insightful)
Of course Linux is not a magical shield. But having a diverse eco-system is known to protect against many attacks.
Amen! Even so, I would expect to see patches coming from David Miller shortly if Linux is truly vulnerable. Similar to how Linux was the first system to be protected against the F00F Intel Pentium hardware bug.
Re:fearmongering (Score:4, Insightful)
That kind of restriction does pretty much nothing at all to stop any kind of crapflood.
See, crapflooders are not limited to using one IP or one account, unlike legitimate users.
Re:fearmongering (Score:2, Insightful)
Whether the threat is real or not, someone seems to be intent on getting as much attention as possible.
Re:Don't Give Them The Power!!! (Score:3, Insightful)
Because if we don't discuss it, vendors will think that it doesn't need to be fixed, and won't fix it. I'm all for giving vendors some lead time to come up with solutions to discovered attacks, but history has plainly shown that the only way to compel vendors to fix security problems is to publicize them.
And keep in mind: The fact that we're not discussing it doesn't mean it's not getting discussed in other circles who look to use it for less noble things than correcting defects.
Re:Transcript (Score:2, Insightful)
Even worse are the new video blogs (not quite sure if it's blogs, or tutorials or what...), I am seeing them all the time when searching for a technical question (e.g., "how to do X on system Y"). I don't want to watch a 5 minute tutorial - I want to find the one line command to do something!
Cheers
Re:Transcript (Score:3, Insightful)
Do people really have time to listen to podcasts unless they are commuting?
Is there a transcript???
To answer your question before I start my tirade: From the blog in question, "The podcast is still the most complete public source of information for these findings." http://blog.robertlee.name/ [robertlee.name]
I know what you mean. Audio or video are pretty poor for the rate of information disseminated compared to text. This is doubly true when the creators aren't formally trained (presenters aren't actors, or the script is not professionally written). Then you wind up with unskilled individuals all over the internet blundering through 5 minutes of speech, or fumbling their way through what would have been an otherwise interesting interview, if only they had just transcribed the whole thing to text and posted it somewhere. Then it'd take the rest of us 30 seconds to get the information, instead of 5 minutes of pain and suffering listening to or watching some horrible recording.
There are obvious exceptions to this, but 9 times out of 10 I just want to read so I can get the most of the experience in the most efficient manner.
Re:How this really SEEMS to work... (Score:1, Insightful)
Thus I think its only really relevant if you wanted to DOS google, akamai, or some similar very-high-resource infrastructure.
If someone wants to use this trick to "DOS google, akamai, or some similar very-high-resource infrastructure" then I think that is very relevant to us all.
Re:fearmongering (Score:3, Insightful)