Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New form of packet attack named Stream

  • From: Jamie Rishaw
  • Date: Fri Jan 21 00:02:17 2000
  • Rfc_violation: You saw it here first!

That's because it's a really nasty attack.

I have a copy..  I've successfully completely taken down every layer-3
device of my own that I've launched it against.

The attack sends massive ACKs to the victim.  The ACKs are dropped at
the kernel, but it's CPU bound.  So unless you have tons of CPU to spare,
your system will essentially slow to a pause when under this sort of
attack.

Another icky thing.. Established bit.. A lot of firewalls ass-u-me that
if a packet is marked established, it's valid and should be passed along.
This exploit takes advantage of that assumption.  I dont know to what
level firewall software looks at packets (checking headers for sequence
number, etc), but this one is intelligent.

This is no "groundbreaking" attack.. it's been discussed before of
how header trickery could do things.. but.. eh.. I dunno.  My TCP/IP
knowledge only goes so far, so I don't have a ton of room to ellaborate.

Regardless..
A successful distributed attack using this exploit *can* take down major
parts of the Internet.

Key people at software vendors already have copies of this and are trying
to work on a fix.  I doubt anything real is going to come of it as far
as a remedy or counter, very soon.

Regards

Jamie Rishaw

On Thu, Jan 20, 2000 at 12:57:39PM -0600, Joe Shaw wrote:
> 
> 
> I haven't heard of it, so could you please provide some more technical
> details?  I saw nothing on it come across bugtraq or in the archives.
> 
> --
> Joseph W. Shaw - jshaw@insync.net    
> Computer Security Consultant and Programmer
> Free UNIX advocate - "I hack, therefore I am."
> 
> On Thu, 20 Jan 2000, Henry R. Linneweh wrote:
> 
> > 
> > anyone have a preventative method for this?
> 

-- 
jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc.
Senior Network Engineer, Los Angeles / SoCal Data Centers
Corporate association for identification, not representation





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.