Outpost24 TCP Vulnerability Collab
Outpost24 approached CERT-FI about a class of availability attacks against the TCP protocol. These attacks target specific kernel and system resources that are available after a TCP socket has been established.
This collaboration environment is created to serve as an invite only forum for disclosure and discussion about these TCP DoS vulnerabilities. You may create pages and edit information. By default all changes are visible to all users. The users here are vendors and vulnerability coordination parties. The user list is not public.
Contents
Current State of Vulnerability Coordination
We are currently investigating sockstress, the efficiency of its attacks and possible countermeasures for design and implementation on TCP and application levels. As more information on the vulnerability of specific implementations becomes available, these details will be distributed to the relevant vendors. As more information about more generic workarounds or mitigating factors becomes available, it will be added to this collab.
Some of the background information an attacker needs to understand to perform these TCP DoS attacks has been discussed publicly. It may not take a great deal of time for people to connect the dots. Steve Gibson from Security Now trimmed down audio easily guessed the 0-Window attack, as have several others. Thankfully the 0-window attack is the least severe attack for most systems, as it typically will only cause the attacked service to become unavailable, and only for the duration of the attack. Robert Graham has also made some good guesses about vulnerabilities.
The planned testing workshop has been cancelled due to lack of interest Please let us know if there are any other ways CERT-FI can help you with these issues. It is highly recommended that you read the TCP security assessment http://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx written by Fernando Gont of CPNI.
The goal date for disclosing the issues is 9th of June 2009. Please provide comments and statements to our current Advisory draft!
About Sockstress
Sockstress is a user-land TCP socket stress framework that can complete arbitrary numbers of open sockets without incurring the typical overhead of tracking state. Once the socket is established, it is capable of sending TCP attacks that target specific types of kernel and system resources such as Counters, Timers, and Memory Pools. Obviously, some of the attacks described here are considered "well known". However, the full effects of these attacks is less known. Further, there are more attacks yet to be documented. As we document ways of depleting specific resources, we will continue to add attack modules into the sockstress framework.
The sockstress attack tool consists of two main parts
- Fantaip: Fantaip is a "Phantom IP" program that performs ARP for IP addresses. To use fantaip, type 'fantaip -i interface CIDR', Ex., 'fantaip -i eth0 192.168.0.128/25'. This ARP/Layer 2 function could optionally be provided by other means depending on the requirements of the local network topology. Since sockstress completes TCP sockets in user-land, it is not advisable to use sockstress with an IP address configured for use by the kernel, as the kernel would then RST the sockets.
- Sockstress: In it's most basic use, sockstress simply opens TCP sockets and sends a specified TCP stress test. It can optionally send an application specific TCP payload (ie. 'GET / HTTP/1.0' request). By default, post attack it ignores subsequent communications on the established socket. It can optionally ACK probes for active sockets.
The attacks take advantage of the exposed resources the target makes available post handshake.
Please note that the client side cookies, heavily discussed in blogs, news and discussion lists, is an implementation detail of sockstress, and not strictly necessary for committing these attacks.
The attack scenarios
Every attack in the sockstress framework has some impact on the system/service it is attacking. However, some attacks are more effective than others against a specific system/service combination. Outpost24 is working with the vendor community to discover exactly what effects specific attacks have on specific platforms. It is expected that each participating vendor will have their own lab and engineering team available to test all attack types against their own products.
We appreciate your input on the feasibility and severity of the vulnerabilities detailed herein. Please also state if you have been able to reproduce the effects described.
Currently in Sockstress
connection flood stress
Sockstress does not have a special attack module for performing a simple connection flood attack, but any of the attack modules can be used as such if the -c-1 (max connections unlimited) and -m-1 (max syn unlimited) options are used. This would approximate the naptha attack by performing a connection flood, exhausting all available TCB's as described in the CPNI document in section 3.1.1
Example commands:
- # fantaip -i eth0 192.168.1.128/25 -vvv
- # sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 -s192.168.1.128/25 -vv
zero window connection stress
Create a connection to a listening socket and upon 3 way handshake (inside last ack) send 0 window.
syn -> (4k window)
<- syn+ack (32k window)
ack -> (0 window)Now the server will have to "probe" the client until the zero window opens up. This is the most simple of the attack types to understand. The result is similar to a connection flood, except that the sockets remain open potentially indefinitely (when -A/ACK is enabled). This is described in the CPNI document in section 2.2. A variation here would be to PSH a client payload (ie. 'GET / HTTP/1.0') prior to setting the window to 0. This variation would be similar to what is described in the CPNI document section 5.1.1. A further variation would be to occasionally advertise a TCP window larger than 0, then go back to 0-window.
Good against:
- services that have long timeouts
Example commands:
- # fantaip -i eth0 192.168.1.128/25 -vvv
- # sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 -s192.168.1.128/25 -vv
small window stress
Create a connection to a listening socket and upon 3 way handshake (inside last ack) set window size of 4 bytes, then create a ack/psh packet with a tcp payload (into a window that is hopefully large enough to accept it) with a window still set to 4 bytes. This will potentially cause kernel memory to be consumed as it takes the response and splits it into tiny 4 byte chunks. This is unlike a connection flood in that memory is now consumed for every request made. This has reliably put Linux/Apache and Linux/sendmail systems into defunct states. It is also effective against other systems. We expect this has similar effects to what is described in the CPNI document in the second to last paragraph of page 17.
Note: Look at the payload.c file in the sockstress source. Look for the hport switch statement. In that section you can specify payloads to be sent to specific ports. It is most effective to send a payload that will generate as large of a response as possible (ie 'GET /largefile.zip').
Good against:
- services that contain initial connection banners
- services that accept an initial request and send a large response (for example a GET request against a large web page, or file download)
Example commands:
- # fantaip -i eth0 192.168.1.128/25 -vvv
- # sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mw -p22,80 -r300 -s192.168.1.128/25 -vv
segment hole stress
Create a connection to a listening socket and upon 3 way handshake (inside last ack) send 4 bytes to the beginning of a window, as advertised by the remote system. Then send 4 bytes to end of window. Then 0-window the connection. Depending on the stack, this could cause the remote system to allocate multiple pages of kernel memory per connection. This is unlike a connection flood in that memory is now consumed for every connection made. This attack was originally created to target Linux. It is also quite effective against windows. This is the attack we used in our sec-t and T2 demos. We expect this has similar effects to what is described in the CPNI document in section 5.2.2 5th paragraph and section 5.3.
Good against:
- Stacks that allocate multiple pages of kernel memory in response to this stimulus
Example commands:
- # fantaip -i eth0 192.168.1.128/25 -vvv
- # sockstress -A -c-1 -d 192.168.1.100 -m-1 -Ms -p22,80 -r300 -s192.168.1.128/25 -vv
req fin pause stress
Create a connection to a listening socket. PSH an application payload (ie 'GET / HTTP/1.0'). FIN the connection and 0-window it. This attack will have very different results depending on the stack/application you are targeting. Using this against a Cisco 1700 (IOS) web server, we observed sockets left in FIN_WAIT_1 indefinitely. After enough of such sockets, the router no longer communicate TCP correctly.
Note: Look at the payload.c file in the sockstress source. Look for the hport switch statement. In that section you can specify payloads to be sent to specific ports. It is important that you send a payload that will look like a normal client to the application you are interacting with. Against our cisco 1700, while using this attack it was important to attack at a very slow rate.
Example commands:
- # fantaip -i eth0 192.168.1.128/25 -vvv
- # sockstress -A -c-1 -d 192.168.1.100 -m-1 -MS -p80 -r10 -s192.168.1.128/25 -vv
activate reno pressure stress
Create a connection to a listening socket. PSH an application payload (ie 'GET / HTTP/1.0'). Triple duplicate ACK.
Note: Look at the payload.c file in the sockstress source. Look for the hport switch statement. In that section you can specify payloads to be sent to specific ports. It is important that you send a payload that will look like a normal client to the application you are interacting with.
Good against:
- Stacks that support this method of activating reno or similar scheduler functionality
Example commands:
- # fantaip -i eth0 192.168.1.128/25 -vvv
- # sockstress -A -c-1 -d 192.168.1.100 -m-1 -MR -p22,80 -r300 -s192.168.1.128/25 -vv
To be added
fin_wait_2 stress
Create a connection to a listening socket. PSH an application payload that will likely cause the application on the other side to close the socket (Target sends a FIN). ACK the FIN.
Good against:
- Stacks that don't have a FIN_WAIT_2 timeout.
large congestion window stress
shrink path mtu stress
md5 stress
Effects of the attacks
If the attacks are successful in initiating perpetually stalled connections, the connection table of the server can quickly be filled, effectively creating a denial of service condition for a specific service. In many cases we have also seen the attacks consume significant amounts of event queues and system memory, which intensifies the effects of the attacks. The result of which has been systems that no longer have event timers for TCP communication, frozen systems, and system reboots. The attacks do not require significant bandwidth.
Important Note
While it is trivial to get a single service to become unavailable in a matter of seconds, to make an entire system become defunct can take many minutes, and in some cases hours. As a general rule, the more services a system has, the faster it will succumb to the devastating (broken TCP, system lock, reboot, etc) effects of the attacks. Alternatively, attack amplification can be achieved by attacking from a larger number of IP addresses. We typically attack from a /29 through a /25 in our labs. Attacking from a /32 is typically less effective at causing the system wide faults.
Advice on mitigation
Since an attacker must be able to establish TCP sockets to affect the target, white-listing access to TCP services on critical systems and routers is the currently most effective means for mitigation. Using IPSEC is also an effective mitigation.
The UK CPNI (Centre for the Protection of National Infrastructure) has made available to this closed community a document with advice on how to mitigate these vulnerabilities (it is an excerpt of a - yet unpublished - larger document entitled "Security Assessment of the Transmission Control Protocol (TCP)" on which CPNI has been working for the last two years or so).
The document is available at:attachment:cpni-advice-sockstress-vulnerabilities-ficora-193744.pdf
CPNI would appreciate feedback on this document to improve it for the benefit of the community. You can mail your feedback to csirtuk@cpni.gsi.gov.uk (please also CC fernando@gont.com.ar ).
Whiteboard
Visitors can add their own opinions and thoughts here by clicking the button below.
Also other portions of the frontpage or the Wiki may be edited.
Latest Comments
TCP MD5
Hello, i am testing JunOS with different Backbone Routers, the question is:
Is TCP (with bgp on 179) also affected when md5 auth is enabled?
JunOS 12.0 is at the moment affected, complete tests will be performed next week in our MPLS Backbone Lab.
Greets, Sven Weizenegger, t-systems
Re: vendor workshop contact, and CPNI document
thanks, Juhani!
-- yozo.
Subjects of Last 15 Comments
Full Discussion
References
CPNI TECHNICAL NOTE 3/2009 - SECURITY ASSESSMENT OF THE TRANSMISSION CONTROL PROTOCOL (TCP)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4609
https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html
http://www.ietf.org/mail-archive/web/tcpm/current/msg02233.html
http://www.archivum.info/tcpm@ietf.org/2006-09/msg00003.html
Outpost24 presentation in Sec-T conference 2008-09-11 - 2008-09-12
Outpost24 presentation in T2 conference 2008-10-17