OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Bug, probable DoS in http connection or just paranoia?
From: Omar Herrera (oherreraPRODIGY.NET.MX)
Date: Mon Dec 18 2000 - 00:30:12 CST

I just noticed some strange behavior when accessing through my Linux
box:

http://www.newsnow.co.uk/cgi/NewsNow/NewsFeed.htm?Section=NewsLink&Theme=Encryption+%2F+Security

(actually I reproduced it in another Linux box with another news section
of www.newsnow.co.uk)

This is a news site and most of their pages (sections) update every 5
minutes, now, I looked at my port connections via: 'netstat -an' and
noticed that, after every 5 minutes (the time it takes the page to
refresh) there appeared a bunch of connections with LAST_ACK state:

> netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 1 0 148.221.217.137:4232 194.205.233.230:80
CLOSE_WAIT
tcp 1 0 148.221.217.137:4231 194.205.233.230:80
CLOSE_WAIT
tcp 1 0 148.221.217.137:4229 194.205.233.230:80
CLOSE_WAIT
tcp 1 0 148.221.217.137:4228 194.205.233.230:80
CLOSE_WAIT
tcp 0 416 148.221.217.137:4225 194.205.233.230:80
LAST_ACK
tcp 0 452 148.221.217.137:4207 194.205.233.230:80
LAST_ACK
tcp 1 1 148.221.217.137:4202 194.205.233.230:80
LAST_ACK
tcp 0 463 148.221.217.137:4200 194.205.233.230:80
LAST_ACK
tcp 1 1 148.221.217.137:4199 194.205.233.230:80
LAST_ACK
tcp 0 416 148.221.217.137:4198 194.205.233.230:80
LAST_ACK
tcp 0 416 148.221.217.137:4194 194.205.233.230:80
LAST_ACK

I traced the address (194.205.233.230) and it turns out that it is
linked to www.newsnow.co.uk

nslookup 194.205.233.230
Server: my.isp.server
Address: xx.xx.xx.xx

Name: www.newsnow.co.uk
Address: 194.205.233.230
Aliases: 230.233.205.194.in-addr.arpa

With each refresh, the number of this connections increased but, after
about 20 minutes more or less (about 4 refreshes) the number of this
connections seemed to be steady, 10 minutes after this number decreased
but it was really slow; I suppose there is a time-out somewhere in the
kernel that closed these after some idle time . (shutting down networks
interfaces didn't kill any of them)

I thought it could be my firewall (ipchains) configuration or IDS
(snort), so I turned off both for a while but the LAST_ACK connections
still grew in number with each refresh (so I assume none of my defenses
was involved).

I know that in HTTP you establish several connections for different
resources of the page but I thought that all ended in a CLOSE_WAIT state
until they were closed when you redirect your browser to another page.

My question is: Could this method of creating idle LAST_ACK connections
be used to perform some kind of DoS attack? (what if this page had a
refresh of 10 seconds?). Maybe this is normal for some web pages out
there in the internet but i'm worried that the time-out to kill these
connections is too big.

I also noticed that Snort reports a lot of 'ICMP Dest. Unreachable (Port
unreachable)' messages while connected through my browser to this page.
I don't know if this might be related but maybe the refresh combined
with the configuration of the web server or a filtering device in front
of it produces this thing.

Anyone else can reproduce this?

My box: Linux Mandrake 7.2 with kernel 2.2.18
also tested this successfully with some other boxes: Linux Mandrake 7.2
(kernel 2.2.17) and Linux Mandrake 7.0 (kernel 2.2.14).

Thanks

Omar Herrera