Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Denial-of-Service Attack Is a Killer

kdawson posted more than 4 years ago | from the fighting-a-resource-war-with-an-unfair-advantage dept.

Security 341

ancientribe writes "Hacker RSnake blogs about a newly discovered and deadly denial-of-service attack that could well be the next big threat to the Internet as a whole. It goes after a broadband Internet connection and KOs machines on the other end such that they stay offline even after the attack is over. It spans various systems, too: the pair of Swedish researchers who found it have already contacted firewall, operating system, and Web-enabled device vendors whose products are vulnerable to this attack." Listen to the interview (MP3) — English starts a few minutes in — and you might find yourself convinced that we have a problem. The researchers claim that they have been able to take down every system with a TCP/IP stack that they have attempted; and they know of no fix or workaround.

cancel ×

341 comments

Sorry! There are no comments related to the filter you selected.

I cant believe this is the first comment, (5, Funny)

Aliks (530618) | more than 4 years ago | (#25216693)

Some DOS attack on Slashdot in progress?

Re:I cant believe this is the first comment, (4, Funny)

neokushan (932374) | more than 4 years ago | (#25216695)

Yeah, some stupid user deltree'd the whole site!

Idea! Burn the WITCHES !! (1, Funny)

Anonymous Coward | more than 4 years ago | (#25217335)

These are not RESEARCHERS but wicked WITCHES. Burn them!! Burn the wicked witches!!

Re:I cant believe this is the first comment, (1, Funny)

Sj0 (472011) | more than 4 years ago | (#25217491)

Ah, there's your problem, you're runnning your website on MS-DOS 6.22!

This is a bit unorthodox, but might I suggest...linux?

Re:I cant believe this is the first comment, (0)

Anonymous Coward | more than 4 years ago | (#25216707)

We're all in shock of how retarded this summary is. It breaks the interwebs!!!! They no come backs!!!

fearmongering (5, Insightful)

passthecrackpipe (598773) | more than 4 years ago | (#25216697)

While it is pretty interesting, and disturbing, we are once again faced with a "The Internet Will Cease To Exist And Your Brain Will Explode" vulnerability. We dont know exactly how it works, we dont know exactly what to do to stop it, fixes are not available, and we are all doomed. The podcast goes into enough detail about how they discovered it to be replicated by skilled evildoers without too much trouble, but nobody knows how long, easy or invasive a fix is going to be.

Re:fearmongering (5, Insightful)

MyLongNickName (822545) | more than 4 years ago | (#25216751)

Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot. The author has known them for years from (presumably) T-Ball league. How can you argue with that?

(this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)

Re:fearmongering (1, Offtopic)

fprintf (82740) | more than 4 years ago | (#25216807)

Yep, I get the 5 minute restriction all the time, especially when I am actively reading and posting. I agree it sucks. I also am a fast typist and get the "you must wait X seconds between hitting reply and posting" all the time. Presumably those restrictions are forcing me to be more thoughtful about my responses, and thus clutter the threads less with offtopic, trollish or redundant posts.

I want numerical karma back too.

Re:fearmongering (-1, Offtopic)

plague3106 (71849) | more than 4 years ago | (#25216863)

Ya, five minutes is too long. Don't know if it affects everyone or not.

Re:fearmongering (0, Offtopic)

ConceptJunkie (24823) | more than 4 years ago | (#25217067)

It's always been two minutes for me, which I find infuriating. If it were five minutes, I'd probably quit /. altogether.

It _should_ be 15 seconds between hitting "Reply" and "Submit" and one minute between comments. Some people can think and type quickly. But don't complain because /. is the way it is and it's not changing.

Re:fearmongering (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#25217197)

You should try posting anonymously, it doesn't give a concrete number of seconds left until you can post again or anything, but it seems to be around 10 minutes. This makes posting when I don't feel like signing in on a computer that's not mine an absolute chore.

Re:fearmongering (0, Offtopic)

hummassa (157160) | more than 4 years ago | (#25217461)

Yeah, it would be nice if nobody crapflooded /. ever, so they didn't have to come up with such restrictions...

Re:fearmongering (5, Insightful)

morgan_greywolf (835522) | more than 4 years ago | (#25216939)

Sorry, but your entire argument is shot down by TFA. For those of you too lazy to read it, this gem "Robert and Jack are smart dudes. I've known them for years," clearly shows that your argument is moot.

Seriously....just saying "Yeah, these two dudes I know can break the whole Internet. Trust me. I've known them a long time." is just completely lame and useless.

The article is nothing more than fear mongering and fudfudfud (please tag appropriately). Unless there's something to the interview beyond "I know how to break the Interwebs!!!", I'm from Missouri on this one.

Re:fearmongering (4, Funny)

Cro Magnon (467622) | more than 4 years ago | (#25216973)

(this having to wait 5 minutes between posts is a pain in the ass. Anyone else stuck with this restriction?)

My sig answers your question. :)

Re:fearmongering (1)

Nathrael (1251426) | more than 4 years ago | (#25217179)

Oh no! They are already trying to DoS Slashdot!

Re:fearmongering (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#25216755)

Yeah, masturbating monkeys are at it again. *yawn*

Re:fearmongering (3, Informative)

jrl (4989) | more than 4 years ago | (#25217183)

It wasn't our intention to fear monger. In fact if you listen to the whole podcast we actually comment on the "Chicken Little" phenomenon in security research.

For those wanting to stay abreast of these issues as more information is shared publicly, keep an eye on my blog [robertlee.name] .

I'm trying to keep a link to most news articles there. I've also been able to answer a few questions in the comments through that medium.

--Robert

Re:fearmongering (1)

couchslug (175151) | more than 4 years ago | (#25217321)

"fixes are not available," /me inserts non-multisession live CDs into all my machines...

"Bring it on!" :)

Pfffft (5, Funny)

MyLongNickName (822545) | more than 4 years ago | (#25216709)

Doesn't affect me. I haven't used DOS in YEARS. Some folks need to move up to Windows 3.1. That is where it is at.

Re:Pfffft (4, Funny)

eserteric (442678) | more than 4 years ago | (#25216745)

Uhh, you know that's still based on DOS right? You should update to Windows 95 like me to be safe.

Re:Pfffft (-1)

therufus (677843) | more than 4 years ago | (#25216927)

Bzzt!

Windows Millennium was the first MS OS that didn't actually run on DOS as such.

Wow, look at the success they had with that!

Re:Pfffft (4, Informative)

Antique Geekmeister (740220) | more than 4 years ago | (#25216957)

What? WinME was simply repackaged Win98. Windows _NT_ was built by David Cutler, on a VMS foundation rather than a DOS foundation, because Cutler was one of the core authors of VMS and there were some fascinating lawsuits about his duplicating his old VMS work for Microsoft.

Re:Pfffft (1, Insightful)

Anonymous Coward | more than 4 years ago | (#25217453)

Metamoderate -1 clueless. Whoosh!

Too many Microsoft fanboy moderators ...

Re:Pfffft (5, Funny)

Remloc (1165839) | more than 4 years ago | (#25216983)

Nope, NT 3.1 circa '93. We were an early adopter on a currently top of the line Pentium (1)--50 MHz, I believe. Thing would BSOD if you more than looked at it funny.

Re:Pfffft (3, Interesting)

aproposofwhat (1019098) | more than 4 years ago | (#25217091)

Haha!

Pentium? Microsoft advertised that 3.1 would run on a 386 with 16 meg of RAM, so that's what we installed it on to evaluate against our lovely Netware 3.11 fileservers.

Guess what?

It sucked ass - 10 minutes to boot, and funny looks were a definite no-no.

I have a lawn you could get off, if you like...

Re:Pfffft (2, Interesting)

j_166 (1178463) | more than 4 years ago | (#25217395)

No lie, I once had Windows 3.1 running on a 286. Not sure how much RAM I had. Oh, and the monitor was monochrome orange and black (or may have just been broken). The keyboard connected with something resembling a phone jack. I probably still have that machine in the attic. Note that I said it was running. I can't comment on if it was running *well* or not because I just booted it for curiosity's sake, then shut it down and promptly forgot about it until just now. This was well into the days of the Pentium 233, and someone had just given me the machine as a cast-off. I do remember it took a hell of a time to boot though...

Actually, thinking about it now, I may have deleted those memories out of sheer trauma.

Re:Pfffft (1)

rugatero (1292060) | more than 4 years ago | (#25217247)

Thing would BSOD if you more than looked at it funny.

Modded informative. Love it.

Re:Pfffft (1)

Reece400 (584378) | more than 4 years ago | (#25217033)

Nope, ME still ran on DOS.. just did a better job of hiding it than 98.

Re:Pfffft (1)

Dannybolabo (980836) | more than 4 years ago | (#25216795)

Haha yeah sure buddy. You honestly expect me to believe you're using 3.1? Everyone knows 3.1 is a myth! Next you'll be telling me about some new fangdangled OS with a "glass-like" interface..

Re:Pfffft (2, Funny)

ByOhTek (1181381) | more than 4 years ago | (#25216897)

Bah. I use Dr. Dos. It's a doctor so it fixes itself and I don't have to worry about these issues!

Re:Pfffft (1)

betterunixthanunix (980855) | more than 4 years ago | (#25216969)

Please, DOS 5 is where it's at. No PC can be without it.

Re:Pfffft (1)

ConceptJunkie (24823) | more than 4 years ago | (#25217235)

Do you know where I can get Windows 3.1 for my Apple ][?

Transcript (4, Insightful)

commanderfoxtrot (115784) | more than 4 years ago | (#25216717)

Do people really have time to listen to podcasts unless they are commuting?

Is there a transcript???

Re:Transcript (1, Informative)

Anonymous Coward | more than 4 years ago | (#25217071)

http://blog.robertlee.name has more information... still searching for transcript though...

Not much information (4, Informative)

mseeger (40923) | more than 4 years ago | (#25216733)

Hi,

Neither interview nor Link provides much information about the kind of attack. Between the lines they seem to be doing something with the ressource usage by manipulating tcp session parameters. But that's idle speculation for now.

CU, Martin

Re:Not much information (0)

Anonymous Coward | more than 4 years ago | (#25216809)

... and TFA sounds more like a Dan Brown novel then providing actual facts.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html

has some better writeup, making it sound more like some kind of SYN cookie forging. Well, we'll heare more in two weeks, I guess.

Re:Not much information (2, Informative)

martyb (196687) | more than 4 years ago | (#25216841)

Neither interview nor Link provides much information about the kind of attack. Between the lines they seem to be doing something with the ressource usage by manipulating tcp session parameters. But that's idle speculation for now.

Looks like you may be onto something; found this writeup with a bit more detail: New attacks reveal fundamental problems with TCP [techtarget.com]

Don't know enough about TCP/IP to comment, but maybe someone else here could elucidate or elaborate?

How it works (4, Interesting)

Spy der Mann (805235) | more than 4 years ago | (#25216981)

Many TCP servers use a technique known as a SYN cookie in order to prevent attackers using spoofed IP addresses from launching SYN flood denial-of-service attacks against them. The cookie is essentially a chosen TCP initial sequence number that is calculated using some specific hashed metadata that reflects the details of the specific TCP connection. Once the client returns a correct packet to the server, the server knows that the client isn't using a forged IP address.

Sockstress computes and stores so-called client-side SYN cookies and enables Lee and Louis to specify a destination port and IP address. The method allows them to complete the TCP handshake without having to store any values, which takes time and resources. "We can then say that we want to establish X number of TCP connections on that address and that we want to use this attack type, and it does it," Lee said.

In summary, it works by establishing tons and tons of connections using carefully-forged SYN cookies [wikipedia.org] . The irony? "SYN Cookies are the key element of a technique used to guard against SYN flood attacks". ROFLMAO.

And then it gets scarier:

From the wikipedia article:

The use of SYN Cookies does not break any protocol specifications, and therefore should be compatible with all TCP implementations.

Now, are you ready to scream?

the 2.6.26 Linux kernel added limited support of TCP options.

Scream.

More scares, AND A TEMPORARY FIX! (2, Informative)

Spy der Mann (805235) | more than 4 years ago | (#25217053)

The technique was created by Daniel J. Bernstein and Eric Schenk in September 1996. The first implementation for SunOS was released by Jeff Weisberg a month later, and Eric Schenk released his Linux implementation in February 1997 (the current implementation uses e.g. net.ipv4.tcp_syncookies).

From an old 2001 syn cookies vulnerability report: [linuxdevcenter.com]

syncookies can be disabled on a running system by executing the command:

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

(To the editors: Mind adding the above line to the summary? Thanks!)

Patch your systems. NOW! (note that this makes them vulnerable to syn flood attacks, but at least those won't leave your system unusable until reboot!)

Re:More scares, AND A TEMPORARY FIX! (1)

Spy der Mann (805235) | more than 4 years ago | (#25217127)

I just added the above line to /etc/rc.d/rc.local, but I really don't know if that leaves a window of time during boot where the vulnerability can be exploited.

Any GNU/Linux expert who can inform us how to correctly patch our systems (until the official patch is released, of course)?

Re:More scares, AND A TEMPORARY FIX! (1)

characterZer0 (138196) | more than 4 years ago | (#25217257)

Put it in a script that runs before your network interfaces are brought up.

Re:More scares, AND A TEMPORARY FIX! (2, Insightful)

Rob Kaper (5960) | more than 4 years ago | (#25217293)

Simple: put that line before your network cards are initialised. That's rc.inet1 in Slackware, YMMV elsewhere.

DON'T PANIC! (4, Informative)

collinstocks (1295204) | more than 4 years ago | (#25217409)

If you are running Ubuntu 8.04, you probably aren't vulnerable (or at least I am not). See if you get what I got in the terminal:

collin@collin:~$ cat /proc/sys/net/ipv4/tcp_syncookies
0
collin@collin:~$

Re:Not much information (1)

Nerdfest (867930) | more than 4 years ago | (#25216941)

Found this [t2.fi] link through SANS.org:

There's not fery much new detailother than stating that it's about "TCP state table manipulation". I'd guess they're keeping details to themselves until a fix can be found. My guess is that others will discover it just based on the broad area described.

Go for it, take on my machine! (2, Interesting)

apathy maybe (922212) | more than 4 years ago | (#25216735)

My IPv4 address is 127.0.0.1 ...

More seriously, I wonder if this actually affects *nix machines, and how the various environments in that area affect the attack.

After all, they may find a single attack against all MS Windows XP machines, but they need a lot more then one to attack all Linux based systems (and then you throw in BSD based ones as well...).

Meh, the article doesn't give much detail.

Re:Go for it, take on my machine! (5, Insightful)

erayd (1131355) | more than 4 years ago | (#25216769)

Unless it's a generic vulnerability in the TCP spec, in which case almost every implementation of it would be vulnerable - including all those Linux machines. Linux is not some magical shield, it takes responsible use to keep it secure.

Re:Go for it, take on my machine! (4, Insightful)

apathy maybe (922212) | more than 4 years ago | (#25216917)

Of course Linux is not a magical shield. But having a diverse eco-system is known to protect against many attacks.

One of the reasons stories about how the banana is going extinct come up every few years is because the "modern" banana that most people in the over developed world can buy, are all clones! One disease can attack all the plants in the same manner.

In the same way, computers that have the same OS tend to be vulnerable to the same attack. Because there are a lot more OSs based around Linux (and BSD), people running these OSs are less vulnerable, because they are in a diverse eco-system. Especially when these kernels and the user-land tools are FLOSS.

As such, yes, it maybe a generic vulnerability in the TCP spec. (though how likely is that?), however, it is not specified, which is why I asked if it did affect *nix.

If nothing else, due to the nature of FLOSS, the attack could quickly be coded around as soon as it is known, and then pushed out to many many people running auto-update systems (such as Debian, Ubuntu and similar). (Even if that breaks the spec.)

Re:Go for it, take on my machine! (1)

stranger_to_himself (1132241) | more than 4 years ago | (#25217227)

One of the reasons stories about how the banana is going extinct come up every few years is because the "modern" banana that most people in the over developed world can buy, are all clones! One disease can attack all the plants in the same manner.

I wondered how long it would be before someone dragged out a banana analogy.

Re:Go for it, take on my machine! (1)

zehaeva (1136559) | more than 4 years ago | (#25217423)

would you rather a bad car analogy?? ^_^

Re:Go for it, take on my machine! (4, Funny)

BenoitRen (998927) | more than 4 years ago | (#25216779)

Thief! That's MY address!

Re:Go for it, take on my machine! (1)

operator_error (1363139) | more than 4 years ago | (#25216815)

Um, excuse me sir. Would you like to see my pending patent?

Re:Go for it, take on my machine! (1)

Dannybolabo (980836) | more than 4 years ago | (#25216819)

Mum, is that you?!

Re:Go for it, take on my machine! (1)

IceCreamGuy (904648) | more than 4 years ago | (#25216925)

FTS:

researchers claim that they have been able to take down every system with a TCP/IP stack that they have attempted

Last time I checked, that includes Unix and BSD. Not only does it include BSD, but since the XP TCP stack literally is the BSD stack, I think youre point is pretty irrelevant.

Re:Go for it, take on my machine! (1)

Culture20 (968837) | more than 4 years ago | (#25217163)

(and then you throw in BSD based ones as well...)

You do know that MS didn't write Windows' TCP stack on their own, right?

this is not news... it's a reach around... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#25216737)

FTFA... "Robert and Jack are smart dudes"

yep ... and i'm scared now cuz the smart dudes told us the sky is falling, but don't ask why, they are working with the "vendors" in secret. which must be a lot since this affects every tcp/ip stack in existence.

who is jacking off who here?

Oh no (0)

Anonymous Coward | more than 4 years ago | (#25216753)

TCP/IP stacks are telling my operating system not to work any more.

Things that make you go 'Hmmm...' (4, Interesting)

Drakkenmensch (1255800) | more than 4 years ago | (#25216757)

It sort of makes you wonder - if such a critical, destructive and EASY way to cripple the entire internet exists... why hasn't it been discovered yet so late in the game, and why are the usual DOS targets still operating normally?

The simple fact that I'm posting this reply makes me doubt the "ZOMG UNSTOPPABLEZ" aspect of this claim, is all.

So... (1)

imyy4u3 (1290108) | more than 4 years ago | (#25216797)

when exactly are they going to explain how it is done? I would be interested to know...and I'm sure if they release the details, someone somewhere in the world will have a fix up within hours.

Then again, once it is posted, I predict that all the major internet sites will go down within hou

(error 404)

Re:So... (1)

IBBoard (1128019) | more than 4 years ago | (#25217045)

I think you wanted a "signal terminated" to show your machine had been taken off-line in a 'hilarious' "I'm in the middle of typing something that isn't on /. until I submit" post. Error 404 means a suitable response was not found, which means you got some contact ;)

Nah (3, Funny)

Twinbee (767046) | more than 4 years ago | (#25216799)

Ignore the story, there's very little chance that a single virus can take down all systems, especially if the user is not running Windows.

I for instance have multiple rock solid software and hardware firewalls, and most ports blocked - I'd like to see it try taking dow

Re:Nah (-1, Redundant)

(Score 5, Flamebait) (915262) | more than 4 years ago | (#25217039)

I think I see how this works.... Come on mods, hurry and mod me funny! Cut me in on the action before it's too lat





(just kidding, I'm still here. But still waiting for the funny...)

Re:Nah (0)

Anonymous Coward | more than 4 years ago | (#25217383)

This is MEANT to be funny yeah? It sort of sounds too serious... a virus???

More information available at this blog... (1, Informative)

Anonymous Coward | more than 4 years ago | (#25216801)

http://blog.robertlee.name

For those who can't listen to the interview (5, Informative)

radi0man (191807) | more than 4 years ago | (#25216803)

Here's a link to an article in English:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html [techtarget.com]

From the article:

Many TCP servers use a technique known as a SYN cookie in order to prevent attackers using spoofed IP addresses from launching SYN flood denial-of-service attacks against them. The cookie is essentially a chosen TCP initial sequence number that is calculated using some specific hashed metadata that reflects the details of the specific TCP connection. Once the client returns a correct packet to the server, the server knows that the client isn't using a forged IP address.

Sockstress computes and stores so-called client-side SYN cookies and enables Lee and Louis to specify a destination port and IP address. The method allows them to complete the TCP handshake without having to store any values, which takes time and resources. "We can then say that we want to establish X number of TCP connections on that address and that we want to use this attack type, and it does it," Lee said.

Re:For those who can't listen to the interview (0)

Anonymous Coward | more than 4 years ago | (#25216943)

Huh. So this is essentially the DNS vulnerability all over again, where knowing a specific "magic value" means "you're the person I was speaking to before," and that magic number has some exploitable weakness in it...

Re:For those who can't listen to the interview (0)

Anonymous Coward | more than 4 years ago | (#25217003)

It's just a really old style syn flood. The only twist is that it's slightly more efficient on the client end, which doesn't matter since it's easy to limit the number of syns from a given IP and they can't hide their IP address. The only thing potentially new here is that a botnet might be able to attack more hosts, but it would not be any more effective against a single host.

Re:For those who can't listen to the interview (1)

jandrese (485) | more than 4 years ago | (#25217059)

I thought the point was that they can forge their return IP address because they can spoof the Syncookie somehow? The attack being that you just force the host to create a gob-jillion syncookies (which have to be stored, eating up resources) and then do a plain old resource exhaustion attack.

So it's a DoS abusing SYN cookies? (1)

RenHoek (101570) | more than 4 years ago | (#25217181)

So.. setting up a SYN cookie handshake takes up memory on the server. And by calculating the correct response to a SYN cookie challange they defeat the handshake, opening the port on the server, and then they set a new connection from a new forged IP address. This takes up memory and connections on the server machine, leaving connections to time out.

Do I have this correct?

This virii is NOT NEW (-1, Troll)

Anonymous Coward | more than 4 years ago | (#25216811)

UM i really hate to say this
BUT THIS IS NOT NEW
A design was made over 8 years ago like this except it actually had a few extra features this one apparently does not have.

CHRoNoÂÂ
United Hackers Association

Re:This virii is NOT NEW (0)

Anonymous Coward | more than 4 years ago | (#25216985)

  1. Unicode does not compute
  2. Virii is the plural form of virus, and 'this' indicates something in the singular, as does 'is.'

Re:This virii is NOT NEW (0)

Anonymous Coward | more than 4 years ago | (#25217139)

Virii is only the plural form of virus if you are an idiot and not familiar with the roots of the word virus.

Power grids? (3, Insightful)

Porchroof (726270) | more than 4 years ago | (#25216857)

Why do I constantly find stories about how our power grids, nuclear energy sites, military bases, Federal government, etc., etc., will be taken down by Internet hackers? Please don't tell me that all of those resouces are accessible over the Internet. Why in God's name would put such resources on the Interet?

Re:Power grids? (1)

Drakkenmensch (1255800) | more than 4 years ago | (#25216923)

True that. Real life doesn't work like Family Guy where Stewie takes control of the entire world's power grid from a single keyboard. Hydro-electric, coal and nuclear power plants used to work just fine before the advent of the internet and have like, you know, levers and switches.

Re:Power grids? (1)

Mr. Slippery (47854) | more than 4 years ago | (#25217397)

Why in God's name would put [power grids, nuclear energy sites, military bases, Federal government, etc., on the Interet?

Because people are sometimes very, very dumb.

Read this comp.risks item about a monitoring PC at a nuke plant getting infected by the Slammer worm [ncl.ac.uk] . Fortunately, the plant was off-line, and had analog backups.

Now consider this case [ncl.ac.uk] , where excessive network traffic lead to a nuke plant losing its recirculation pumps and being manually scrammed. In this case it doesn't seem that the local net was directly connected to the Internet; however excessive traffic is exactly what can be caused by this TCP attack.

Now, put the two together: create a worm that spreads, lies dormant, then wakes up one day and throws this TCP attack at everything it can...could be a bad day.

pff (5, Funny)

amnezick (1253408) | more than 4 years ago | (#25216861)

Typical /. reaction to potential danger:

"Hah. Until I don't taste nuclear winter snow I don't believe that's gonna happen'"

Give the man his nuke. He earned it.

who wrote this?? (3, Interesting)

nimbius (983462) | more than 4 years ago | (#25216865)

someones mom needs to check the basement more often...

TFA starts off with "things are a brewin' in sweden"

"Robert and Jack are smart dudes."

"I feel winter slowly coming, and it would be a shame if entire power grids could be taken offline with a few keystrokes, or if supply chains could be interrupted. I hear it gets awfully cold in Scandinavia. "

The sky is falling! (3, Interesting)

slashqwerty (1099091) | more than 4 years ago | (#25216875)

Another security researcher claims the sky is falling. There are no details, no proof of concept, nothing to prove the alleged vulnerability even exists. Here's something those researchers should learn: if you can't back up your claims with proof it doesn't exist!

I don't understand... (1)

hyades1 (1149581) | more than 4 years ago | (#25216931)

Why didn't they publish a detailed description of their exploit? If they don't supply enough information to let any script kiddie with "toolz" create havoc and end Western Civilization, they must be just blowing smoke and sowing FUD, right?

Re:I don't understand... (1)

hal9000(jr) (316943) | more than 4 years ago | (#25217417)

Because IF they are right AND this vulnerability will expose every IP device on the network to a DoS, THEN it's pretty fricking dangerous.

Factual Inaccuracy (2, Informative)

CaptainOfSpray (1229754) | more than 4 years ago | (#25216955)

The interview is in Dutch, not Swedish. And since the researchers' names are Robert E. Lee and Jack C. Lewis, I don't believe they are Swedish either.

The sky is falling! (3, Insightful)

Lord Byron II (671689) | more than 4 years ago | (#25217009)

Quickly, go yank the cable/dsl connection right out of the wall before its too late!

Come on... I'm not going to listen to mp3, but the /. summary and the article both are dangerously low on details. This effects every machine with a TCP/IP stack? IPv4 and IPv6? Leaves the machines in a permanent state of DOS? There's no prevention? No fix? And you can't even test it because it might take down "other devices between here and there"?

Pardon me, I'm off to find myself a huge grain of salt.

They might have missed a small detail (1)

SL1200MKII (1263800) | more than 4 years ago | (#25217029)

According to the article:

... I asked him if he'd be willing to DOS us, and he flatly said, "Unfortunately, it may affect other devices between here and there so it's not really a good idea."

So if they tried to launch a DOS against me and inadvertently take out all the devices a few hops before they get to me, how is this attack going to reach me?

They will have no way of knowing if the attack even worked, since all routes to me are down.

Re:They might have missed a small detail (2, Insightful)

JayJay.br (206867) | more than 4 years ago | (#25217087)

It reaches you in that no one else can see you on the Internet. If all routes are down, you can't communicate. Done, denial of service at its best, even if no packet ever reaches your interface.

That, still assuming that all of this is true.

Re:They might have missed a small detail (1)

jdunn14 (455930) | more than 4 years ago | (#25217191)

You're also assuming that the devices that go down affect most other people trying to connect to the target. If the devices on your routes to the target that go down first are the ones closer to the attacker (an assumption, but not a crazy one) then this is kind of a non-issue. The attacker and people "near" him may not be able to access the site, but it completely depends on what fails first as to whether the target site is offline to the world as a whole.

Re:They might have missed a small detail (1)

SL1200MKII (1263800) | more than 4 years ago | (#25217193)

This is assuming that they will be able to take out all routes to me. Just because they cut off all routes from their end, doesn't mean there are no other routes available to other people.

Say they launched the DOS from Sweden and took out all the devices in the first hop, that doesn't mean, everyone else in the world will not be able to reach me.

Re:They might have missed a small detail (1)

John Hasler (414242) | more than 4 years ago | (#25217309)

> Say they launched the DOS from Sweden and took out all the devices in the first hop,
> that doesn't mean, everyone else in the world will not be able to reach me.

In fact all it means is that they've DOSed themselves and maybe a couple of neighbors.

(Note: I am commenting on SL1200MKII's comment, not on the subject of the purported attact.)

Re:They might have missed a small detail (1)

JayJay.br (206867) | more than 4 years ago | (#25217365)

Thing is, if I use half a dozen zombies near to you, even if your hypothesis happens, I cut you off.

Also, quoting yourself quoting the article: "Unfortunately, it may affect other devices between here and there so it's not really a good idea."

That does not sound as "first hop" only.

And even if it proves harmless for home users, what about a company that, suddenly, loses communications with a whole country? Or city? Or neighborhood? or ISP? (obviously depending on the company, ISP, and whatnot)

One or two hops could be enough.

I'd say that, if this vulnerability is confirmed, a lot of damage will be done. Even with all the mitigating factors mentioned in the thread.

DOOMSAYERS (1)

Kratisto (1080113) | more than 4 years ago | (#25217135)

Oh great, another article on Slashdot about how a new, horribly scary security hole in the internet has been found, and now we're all going to go back to the 1930's and relearn how to use slide-rules, and the popularity of vacuum tubes will take off again. Supposing the internet is still working in a few hours, you'll all be jabbering on about how the LHC is going to Bosenova the Earth to smitherenes or something. I can't believe how many times these "OUR TECHNOLOGY IS DOOMED!!!" articles show up. You'd think that eventu

so what you are saying is (1)

halfEvilTech (1171369) | more than 4 years ago | (#25217151)

they discoved the slashdot effect?

step 1 - post link on slashdot
step 2 - site goes down from traffic
step 3 - ???
step 4 - profit!

killer viruses don't spread well (1)

snsh (968808) | more than 4 years ago | (#25217225)

A virus that takes the host offline is not a very effective virus. The virus needs keep the host alive to reproduce and spread, otherwise it won't let itself run wild.

the cutoff jokes are just old (1, Insightful)

jdunn14 (455930) | more than 4 years ago | (#25217243)

Every time there's a story about a connection dying or a machine crashing we see a flood of posts that end lik

It was funny _once_. Maybe. Be more creative. I'm trying to waste my day at work reading /. so could you people make up some new ones? And I'm not going to even delve into the fact that thanks to the ways posting content to a website works the failure wouldn't look remotely like this... we're not all on modems connecting to a BBS.

Let's give them the benifit of the doubt (2, Insightful)

Maguscrowley (1291130) | more than 4 years ago | (#25217279)

Let's assume that they have actually discovered this industry sweeping exploit.

So they went and contacted the vendors like good white hats. Now, if their intent was in being contributers to the greater good of security they would stop at this level of correspondence and work with the companies until the problem is fixed.

However, they released this article to inform the public. Normally when someone does this it is with the intension of providing the public with the knowledge, tools, or rallying them activism towards the end of making the upstream change things. This article does not constructively inform in this way and does not give the end user something to throw upstream. Then what is this article accomplishing?

The fact that we are discussing this and that we have, theoretically, RTFA implies that we have exposed ourselves to their names, tools, and services. It also, loosely implies a need for their services and their "skill." Quotations are entered around "skill" as I the reader have no way of actually confirming their skill because of the lack of real material to observe. From this perspective, I am tempted to conclude that this article serves as little more then an advertisement for their services and a cry for attention.

What then, you may ask. Do I suggest that they leak "dangerous" information and risk their horror story becoming reality? No; rather I propose that if their intentions were really to protect the Internet, they should have stopped the discussion of their research from the immediate parties involved.

I do not necessarily advocate any of these stances as this analysis is meant to be normative.

Missed part (1)

T.E.D. (34228) | more than 4 years ago | (#25217385)

I read TFA, but somehow I missed the part about the nth complexity binary loop [tamu.edu] .

I'm safe (5, Funny)

goddidit (988396) | more than 4 years ago | (#25217393)

This doesn't me since use I UDP all communications communications for.

Everybody turn off syncookies.... (1)

russotto (537200) | more than 4 years ago | (#25217455)

Because in a week I'm going to be auto-DOSing every frigging zombie which connects to my servers and tries to send spam or crack SSH.

(No, not really. Besides, the botnet people would probably turn off syncookies on their zombies)

Something strange... (3, Insightful)

nweaver (113078) | more than 4 years ago | (#25217471)

It sounds like a blind resource consumption attack against SYN-cookie implementations, no? (Without SYN-cookies, the attack is trivial, just spoof SYNs).

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html [techtarget.com]

SYN-cookies are a simple idea. Upon receiving a SYN, rather than creating all the state, the server returns a SYN/ACK with the SEQ value = H(IP,ACK value). Thus when it sees the ACK packet it can check that the value is returned, and then create all the state.

If this is the case, it seems to require that a SYN-cookie be predictible, that the attacker can probe a client to predict what H(IP,ACK value) is. IF that is the case then there is an easy fix: simply use more and better random data as salt in a better hash function.

Simply because ANY blind resource consumption attack against a SYN-cookie server requires knowing what the SEQ value from the server for the SYN/ACK in order to establish a connection by sending the proper ACK (and then some data to load the server further).

If the attacker can't predict the SYN/ACK's SEQ value, it can't construct a proper ACK and cause the server to consume resources.

Off-topic, I know... but... (2, Interesting)

erroneus (253617) | more than 4 years ago | (#25217483)

...something about this article made me think of something else.

With these caps and limits being placed on customers of Comcast and others, I have to wonder if the customer is being protected or endemnified against people attacking their accounts with massive data packets in order to fill up their limits? This wouldn't be a [D]DoS exactly, but potentially, it could be an [E]DoS in effect -- E meaning "Expensive."

I know personally, after having realized this, if I knew any Comcast customers I didn't particularly like, I might be tempted to set up a dyndns entry for their IP address and mention them on slashdot...

I smell BS... (0)

Anonymous Coward | more than 4 years ago | (#25217485)

Reminds me of the Win95 invalid datagram attack that caused a buffer overflow. For it to be platform agnostic, it would need to a specification problem, rather than implementation.

This sounds bogus.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>