.oO Phrack Magazine Oo. Volume Seven, Issue Forty-Nine File 2 of 16 Phrack Loopback ----------------------------------------------------------------------------- [The Netly News] September 30, 1996 Today, Berkeley Software Design, Inc. is expected to publicly release a near-perfect solution to the "Denial of Service," or SYN flooding attacks, that have been plaguing the Net for the past three weeks. The fix, dubbed the SYN cache, does not replace the need for router filtering, but it is an easy-to-implement prophylaxis for most attacks. "It may even be overkill," says Alexis Rosen, the owner of Public Access Networks. The attack on his service two weeks ago first catapulted the hack into public consciousness. The SYN attack, originally published by Daemon9 in Phrack, has affected at least three service providers since it was published last month. The attack floods an ISP's server with bogus, randomly generated connection requests. Unable to bear the pressure, servers grind to a halt. The new code, which should take just 30 minutes for a service provider to install, would keep the bogus addresses out of the main queue by saving two key pieces of information in a separate area of the machine, implementing communication only when the connection has been verified. Rosen, a master of techno metaphor, compares it to a customs check. When you seek entrance to a server, you are asked for two small pieces of identification. The server then sends a communique back to your machine and establishes that you are a real person. Once your identity is established, the server grabs the two missing pieces of identification and puts you into the queue for a connection. If valid identification is not established, you never reach the queue and the two small pieces of identification are flushed from the system. The entire process takes microseconds to complete and uses just a few bytes of memory. "Right now one of these guys could be on the end of a 300-baud modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these fixes, they just won't matter." still, Urner stresses that the solution does not reduce the need for service providers to filter IP addresses at the router. Indeed, if an attacker were using a T1 to send thousands of requests per second, even the BSDI solution would be taxed. For that reason, the developers put in an added layer of protection to their code that would randomly drop connections during an overload. That way at least some valid users would be able to get through, albeit slowly. There have been a number of proposed solutions based on the random-drop theory. Even Daemon9 came up with a solution that looks for any common characteristics in the attack and learns to drop that set of addresses. For example, most SYN attacks have a tempo -- packets are often sent in five-millisecond intervals -- When a server senses flooding it looks for these common characteristics and decides to drop that set of requests. Some valid users would be dropped in the process, but the server would have effectively saved itself from a total lockup. Phrack editor Daemon9 defends his act of publishing the code for the attack as a necessary evil. "If I just put out a white paper, no one is going to look at this, no one is going to fix this hole," he told The Netly News. "You have to break some eggs, I guess. To his credit, Daemon9 actually included measures in his code that made it difficult for any anklebiting hacker to run. Essential bits of information required to enable the SYN attack code could be learned only from reading the entire whitepaper he wrote describing the attack. Also, anyone wanting to run the hack would have to set up a server in order to generate the IP addresses. "My line of thinking is that if you know how to set a Linux up and you're enough in computers, you'll have enough respect not to do this," Daemon9 says. He adds, "I did not foresee such a large response to this." Daemon9 also warns that there are other, similar protocols that can be abused and that until there is a new generation of TCP/IP the Net will be open to abuse. He explained a devastating attack similar to SYN called ICMP Echo Flood. The attack sends "ping" requests to a remote machine hundreds of times per second until the machine is flooded. "Don't get me wrong," says Daemon9. "I love the Net. It's my bread and butter, my backyard. But now there are too many people on it with no concern for security. The CIA and DOJ attacks were waiting to happen. These holes were pathetically well-known." --By Noah Robischon [ Hmm. I thought quotation marks were indicative of verbatim quotes. Not in this case... It's funny. You talk to these guys for hours, you *think* you've pounded the subject matter into their brains well enough for them to *at least* quote you properly... -d9 ] [ Ok. Loopback was weak this time. We had no mail. We need mail. Send us mail! ] ----<>----