|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Peter J. Philipp (pjp
solarscale.de)
Date: Wed Oct 01 2008 - 13:11:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Fernando Gont wrote:
> At 01:56 p.m. 01/10/2008, Peter J. Philipp wrote:
>
>> I listened to the podcast and got the idea that the socket is in
>> ESTABLISHED state (so after 3 way handshake) and they
>> mention that a packets PCB resources have timers, and that is what
>> they exploit.
>
> That was just an example of the type of resources that could be
> exhausted.
>
>
>> Perhaps you establish the session and
>> send an HTTP request (pretend it's http) and never ACK the answer
>> that gets repeated based on the internal timers. It seemed to me
>> they say that some stop repeating their content and just die.
>
> That would be Shalunov's netkill attack, which aims at exhausting
> memory by tying it to both PCBs and socket send buffers.
I looked this up on google, the URL for this attack is here:
http://shlang.com/netkill/ , I noticed it was a little bit
different from what I described because the state is in the FIN_WAIT_1
state on the remote machine, the TCP state
diagram in RFC 793 page 23 shows that a FIN is sent from the client's
close() to the server to reach that state, so it differs. If you have
a userland TCP/IP stack you can cease communication without the FIN
being sent.
I listened to the interview's first 5 minutes again and they mention
their own TCP/IP stack and that it was quite fast giving them a large
window; so large window, established state and userland TCP/IP stack is
their formula.
Here is the URL for the interview again the first 5 minutes are in
swedish so one can skip them:
mplayer -ss 5:0 http://debeveiligingsupdate.nl/audio/bevupd_0003.mp3
If the discoverers of this bug don't make their sockstress available to
OpenBSD then I have a userland TCP/IP stack for OpenBSD developers (mail
me), but it's only written to be a server, but I suspect it would be
easy to make it a client, just have to dust it off from my CVS as it's
quite old (2004 possibly).
Regards,
-p
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]