AOH :: P49-02.TXT

Phrack loopback

                             .oO Phrack Magazine Oo.

                   	 Volume Seven, Issue Forty-Nine
  				  File 2 of 16

                                Phrack Loopback

[The Netly News]

     September 30, 1996

     Today, Berkeley Software Design, Inc. is expected to publicly release 
a near-perfect solution to the "Denial of Service," or SYN flooding attacks,
that have been plaguing the Net for the past three weeks. The fix, dubbed
the SYN cache, does not replace the need for router filtering, but it is 
an easy-to-implement prophylaxis for most attacks.
	"It may even be overkill," says Alexis Rosen, the owner of Public 
Access Networks. The attack on his service two weeks ago first catapulted 
the hack into public consciousness.

	The SYN attack, originally published by Daemon9 in Phrack, has 
affected at least three service providers since it was published last month. 
The attack floods an ISP's server with bogus, randomly generated connection
requests. Unable to bear the pressure, servers grind to a halt.

	The new code, which should take just 30 minutes for a service provider 
to install, would keep the bogus addresses out of the main queue by saving two 
key pieces of information in a separate area of the machine, implementing
communication only when the connection has been verified.  Rosen, a master of 
techno metaphor, compares it to a customs check. When you seek entrance to a 
server, you are asked for two small pieces of identification. The server then
sends a communique back to your machine and establishes that you are a real 
person. Once your identity is established, the server grabs the two missing 
pieces of identification and puts you into the queue for a connection. If 
valid identification is not established, you never reach the queue and the 
two small pieces of identification are flushed from the system.

	The entire process takes microseconds to complete and uses just a few 
bytes of memory. "Right now one of these guys could be on the end of a 300-baud
modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these
fixes, they just won't matter." still, Urner stresses that the solution does 
not reduce the need for service providers to filter IP addresses at the router.

	Indeed, if an attacker were using a T1 to send thousands of requests per
second, even the BSDI solution would be taxed. For that reason, the developers 
put in an added layer of protection to their code that would randomly drop 
connections during an overload. That way at least some valid users would 
be able to get through, albeit slowly.

	There have been a number of proposed solutions based on the random-drop 
theory. Even Daemon9 came up with a solution that looks for any common 
characteristics in the attack and learns to drop that set of addresses.  For 
example, most SYN attacks have a tempo -- packets are often sent in 
five-millisecond intervals -- When a server senses flooding it looks for these 
common characteristics and decides to drop that set of requests. Some valid 
users would be dropped in the process, but the server would have effectively 
saved itself from a total lockup.

	Phrack editor Daemon9 defends his act of publishing the code for the 
attack as a necessary evil. "If I just put out a white paper, no one is 
going to look at this, no one is going to fix this hole," he told The 
Netly News. "You have to break some eggs, I guess.

	To his credit, Daemon9 actually included measures in his code that made
it difficult for any anklebiting hacker to run. Essential bits of information 
required to enable the SYN attack code could be learned only from reading 
the entire whitepaper he wrote describing the attack. Also, anyone wanting to 
run the hack would have to set up a server in order to generate the IP 
addresses.  "My line of thinking is that if you know how to set a Linux up 
and you're enough in computers, you'll have enough respect not to do this," 
Daemon9 says. He adds, "I did not foresee such a large response to this."

	Daemon9 also warns that there are other, similar protocols that can be 
abused and that until there is a new generation of TCP/IP the Net will be open 
to abuse. He explained a devastating attack similar to SYN called ICMP Echo 
Flood.  The attack sends "ping" requests to a remote machine hundreds of times 
per second until the machine is flooded.

	"Don't get me wrong," says Daemon9. "I love the Net. It's my bread and 
butter, my backyard. But now there are too many people on it with no concern 
for security. The CIA and DOJ attacks were waiting to happen. These holes were
pathetically well-known."

                                --By Noah Robischon

[ Hmm.  I thought quotation marks were indicative of verbatim quotes.  Not
in this case...  It's funny.  You talk to these guys for hours, you *think*
you've pounded the subject matter into their brains well enough for them to 
*at least* quote you properly... -d9 ]

[ Ok.  Loopback was weak this time.  We had no mail.  We need mail.  Send us 
mail! ]


AOH Site layout & design copyright © 2006 AOH