SockStress could make every TCP service vulnerable

The Laughing man from ghost in the shell

I found this by listening to Security Now number 164, it sounds very dramatic and most of you will be thinking yeah yeah whatever but…this seems like the real deal. Rather than try and explain it, here's a subset from the notes of Security now. I did look at a couple other places, but Steve Gibson has the best non-packet hacker description of what's really going on.

“SockStress” (not publicly released) reportedly uses several new techniques to create a low-bandwidth (as low as ten packets per second) local resource depletion attack resulting in denial of service /images/emoticons/laugh.gifoS) by TCP servers (www, ftp, smtp, pop, etc.) running Windows, Linux, BSD, undisclosed routers, and other Internet appliances.

Although the researchers plan to demonstrate their techniques on October 17th, at the end of the second day of the forthcoming T2'08 conference in Helsinki, Finland, their 44 minute interview on September 30th, 2008 for the De Beveiligingsupdate site (see original and edited audio links below) provided far too much detail — enough so that any informed packetsmith who understands the TCP protocol would be able to easily recreate their attacks.

As a consequence, they effectively “went public” with their discovery of these vulnerabilities after informing other vendors only a few weeks beforehand

So generally the Finnish guys have found a way to mess with the TCP stack to the extend that you can cause a deinal of service on ANY server which uses TCP including web, ftp, etc. Using a very low amount of hardware and bandwidth. Not even IPv6 escapes this problem.

Comments [Comments]
Trackbacks [0]

Author: Ianforrester

Senior firestarter at BBC R&D, emergent technology expert and serial social geek event organiser.