More hype, or a hint of new DoS atacks?
CERT and BindView last week simultaneously announced the discovery of Naptha, a new tool for implementing Denial of Service (DoS) attacks. Because it exploits vulnerabilities in TCP, almost all operating systems appear vulnerable to the new attack tool. The warning left security analysts wondering if this was a taste of attacks to come, like those that brought e-commerce sites to their networking knees last winter. After all, CERT issued an advisory last December warning of the very attacks that surfaced this past February.
At this point, few believe that the BindView announcement is anything but marketing hype from a security company pumping its public relations machine. But I'm not convinced that this issue can or should be ignored.
The attack described in CERT Advisory 2000-21 and in the technical description provided by BindView does not involve flooding. Instead, a small group of attackers working in concert could slow down or crash Internet-connected servers while sending data over slow modem links. This attack relies on resource depletion, using up memory and operating system constructs until the server crashes or becomes unusable.
To visualize this attack, imagine the sales service center for a large catalog. The sales center has 100 people ready to answer the phone, take orders, and verify credit card information. As long as no more than 100 people are calling at any time, no customer is put on hold, the catalog company continues to do business, and everyone is happy (assuming that someone is calling).
A resource depletion attack against this company works by calling up the company, placing an order, providing shipping info, then stalling completion of the sale somehow: "Uh, excuse me, my credit card is in the other room, could you hold on a minute?" The attacker puts this call on hold, place another call, and starts the same process again. Eventually, all 100 service reps are on hold, waiting for the "customer" who will never return.
In real life, the service reps would hang up after a minute or so. And how many attackers have the 100 phone lines needed to launch such an attack? These issues are also factors in the network-based version of this attack. Earlier versions of a resource depletion attack, like octopus, used up resources on the attacking computer as well (similar to the catalog attacker's phone lines), and the attack then hinged on which computer had the most resources.
The BindView team's Naptha tool eliminates the problem of depleting the attacker's own resources. Instead of actually creating connections to the victim, the Naptha tool fools the victim's operating system into thinking it sees valid network connections. The victim's Web server application waits for a valid request, or receives a request and attempts to send the data, which instead languishes in the operating system because it cannot be sent. Because the connections are simulated instead of real, an attacker can launch a devastating attack with little in the way of resources.
The Naptha tool itself is new, and so far only in the hands of vendors and security consultants. But resource depletion attacks are very old -- for example, a program that calls itself recursively will deplete the space for new programs to start, and a Perl script named netkill was posted to Bugtraq, a full-disclosure mailing list, back in April 2000. If nothing happened after the first disclosure, which included a tool, why should anyone worry now?
For one thing, the netkill tool published in April was not "script-kiddy-ready." Netkill was published to encourage vendors to improve their code, making it more resilient in the face of resource depletion attacks. BindView's Naptha tool goes further, providing a tool that is easier to use directly to vendors, so they can test their own servers for weaknesses. But, so far, Naptha is not in the hands of attackers or script kiddies, so what is the problem?
The problem may be the long-ignored DDoS agents. DDoS attacks have never stopped completely, and new versions of DDoS tools continue to be created and deployed (visit Dave Dittrich's DDoS page for papers and tools relating to DDoS). Most of the newer DDoS tools, like stacheldraht v1.666 and Trinity, have an update feature, permitting the controlling attacker to replace the existing agents with new code, including new attacks.
Resource depletion attacks cannot spoof their source (return) address, making it relatively easy to trace the attacker's network address. By using DDoS agents, bad guys can launch many attacks simultaneously, with each attacker creating connections slowly enough to be buried in normal traffic. Instead of an easily recognized signature, a large number of uncompleted connections from a single source, the DDoS agents can create the same effect, but from hundreds of different sources.
TCP/IP was not designed for use in hostile environments, where people deliberately misuse the network to make servers unusable. Vendors can modify the way their versions of TCP/IP work, so that servers can avoid resource depletion, by more aggressively timing out idle connections, for example. Some vendors posted suggestions in the CERT advisory for configuring more resources or shorter timeouts. While Windows NT 4 with Service Pack 6a is vulnerable to the Naptha tests, Windows 2000 is not.
Naptha is a demonstration of an attack that has yet to occur, and one that most Internet servers are vulnerable to today. While Windows 2000 may not be vulnerable, Windows 2000 servers make up an insignificant proportion of Web servers on the Internet today, with Linux and Solaris providing the bulk of services. These vendors must modify or provide tuning suggestions for their TCP/IP stacks to fix the problem.
Rik Farrow is an independent Unix and Internet security consultant who has specialized in Unix system administration and security since 1984. He is an instructor for the Computer Security Institute and has led training sessions at many US and European user groups. Farrow is the author of UNIX System Security, and writes columns for Network Magazine, ;login:, and several Web-based magazines.