|Network Security Consulting SecurityFocus Article
TCP Flaws Allow Deadly DoS Attacks, Finders Say
Two security researchers claimed this week that flaws in the network stacks used by most operating systems could allow attackers to send a low-bandwidth denial-of-service attack that could leave victims' systems unresponsive.
The researchers -- Jack Louis and Robert E. Lee, both of vulnerability assessment firm Outpost24 -- discovered the flaws while creating a scalable network scanner to test large numbers of Internet addresses. Some of the servers scanned by the tool became non-responsive, and after further investigation, the duo discovered a class of issues in the network stacks used by most operating systems. In the more "interesting" cases, the target machines fail to recover after the attack ceases, Lee, the chief security officer for Swedish company, told SecurityFocus.
"It is a serious issue because with a relatively small amount of resources you can negatively impact a target with a large amount of resources," Lee said. "This isn't a flood. it is specifically knowing how to tie up a lot of resources for no significant use."
Researchers typically find a major vulnerability in the Internet infrastructure every year or so. In July, Dan Kaminsky, the director of penetration testing for IOActive, disclosed an effective technique for poisoning the Domain Name Service (DNS) infrastructure that Internet users need to find other systems. In 2005, an Argentinean researcher highlighted issues in and possible solutions to how network software deals with ICMP packets. The University of Oulu in Finland discovered issues in the Simple Network Management Protocol (SNMP) in 2002 and the Session Initiation Protocol (SIP) used by voice-over-IP systems in 2003.
With the latest alleged infrastructure issue, the researchers demonstrated the attack at the Sec-T Conference in Stockholm and plan to show the details during a presentation at the T2 Conference in Helsinki later this month. While they have notified the computer emergency response team in Finland (CERT-Fi), the security professionals are still working to notify vendors of the issues.
"Work on determining the scope and impact of the vulnerability is currently ongoing, and will be followed a coordinated process of patching and publication," CERT-Fi said in a statement on Thursday. "Additional details about the issue will be published following the guidelines of responsible disclosure."
Lee posted comments on the attack to his blog. A Swedish podcaster has also posted an interview, in English, with Lee and Louis, with some more details.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos