Crashing an email server is as easy as sending an email. Literally.
That was the point brought home to anti-virus software makers when a crusading security expert demonstrated email security flaws with a variation of the so-called Ping of Death attack. "You have all these programs looking at emails to detect viruses, bad words, whatever. Those programs make assumptions that can cause major, major problems," said Rob Rosenberger, network security analyst and Webmaster of the Computer Virus Myths Web site.
Rosenberger created numerous files to demonstrate the techniques to anti-virus software makers and other security companies two months ago. Each file exploits the assumptions programmers have made about an incoming email, and taken together the 20MB cacophony of files can crash most email scanners, claimed Rosenberger.
The anti-virus industry critic likened the attacks to the Ping of Death -- a simple, yet effective method to crash a server that reared its head in 1996. "The Ping of Death is an unanticipated ping. This is an unanticipated email," he said.
Pings are used to test a network to see if an Internet address is valid. Attackers that added enough bytes onto the data to make the ping overlong could cause many servers to crash, gaining the technique the name Ping of Death.
Likewise, Rosenberger created files that violated established protocol: COM files of zero length, zipped files with no content and other techniques. To the server these methods don't make a difference, but many anti-virus and content scanners freeze when they scan such a file.
The problem: When the scanners die, they take the servers with them. Two weeks ago, he presented the techniques to a group of security experts. ZDNN has chosen not to publish the specifics of the techniques. "These are legitimate problems," said Dan Schrader, vice president of new technology for anti-virus software maker Trend-Micro "They are potential denial of service attacks."
Trend is working on patching its software to account for the security holes. Still, while admitting the effectiveness of the exploits, Schrader dismissed their importance. "This problem is going to go away (when we complete the fixes)," he said, adding that while the techniques were "amusing (in their cleverness)... there are other denial of service attacks -- there are lots of ways to crash people's systems."
Another anti-virus firm, Network Associates, has already patched a hole in its product that the files exploited. Still, the company stressed its disapproval for making the fact that there are holes public. "Maybe we fixed our product, but what other products are out there (that haven't been fixed)?" asked Sal Viveros, group product manager for NAI. "Typically, in security you don't go out and announce a flaw unless you know companies are no longer vulnerable."
A rethink needed Rosenberger denounced the so-called "security through obscurity" policy, stressing that the Internet email infrastructure needs to be fixed before these, or similar attacks, are used to crash electronic communications. "We need to rethink the email infrastructure," he said. "The NSA rainbow book (on security) says that we should go back to the design level and fix it. We should."