New DoS Attack Is a Killer
Things are a-brewin' in Sweden. Sweden is not just home of the infamous bikini team, it is also the home of Outpost 24, an equally sexy software-as-a-service network scanning service, and the employer of my friend Robert E. Lee and his colleague Jack C. Louis. These guys are the inventors of UnicornScan, a user-land TCP stack turned into a port scanner. Never heard of it? Use Nmap exclusively? Well if you run Linux, I suggest checking it out, especially if missed ports in your portscan is inexcusable. But I digress. By Robert HansenDark Reading
Things are a-brewin' in Sweden. Sweden is not just home of the infamous bikini team, it is also the home of Outpost 24, an equally sexy software-as-a-service network scanning service, and the employer of my friend Robert E. Lee and his colleague Jack C. Louis. These guys are the inventors of UnicornScan, a user-land TCP stack turned into a port scanner. Never heard of it? Use Nmap exclusively? Well if you run Linux, I suggest checking it out, especially if missed ports in your portscan is inexcusable. But I digress.Robert and Jack are smart dudes. I've known them for years, and they've always been one step ahead of the game. A couple of years ago, Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned. A few experiments, tons of reading through documentation, and one mysteriously named tool called "sockstress" later, and the two are now touting a nearly universal denial-of-service (DoS) attack that can be performed on almost any normal broadband Internet connection -- in just a few seconds.
How bad is it? Well, in an interview --- (fast-forward five minutes in to hear it in English), the two were asked if they could take out a data center. While they've never tried, it appears to be a totally plausible attack. Worse yet, unlike most DoS attacks, the machines often do not come back online once the attack is over. The victim system just doesn't respond any more. Great, huh?
Robert and I talk a lot, and I asked him if he'd be willing to DoS us, and he flatly said, "Unfortunately, it may affect other devices between here and there so it's not really a good idea." Got an idea of what we're talking about now? This appears not to be a single bug, but in fact at least five, and maybe as many as 30 different potential problems. They just haven't dug far enough into it to really know how bad it can get. The results range from complete shutdown of the vulnerable machine, to dropping legitimate traffic.
The two researchers have already contacted multiple vendors since the beginning of September (I've had a small hand in getting them in contact with one of the vendors). Robert and Jack are waiting with no specific timeline to hear back from the affected TCP stack vendors. Think firewalls, OSes, Web-enabled devices, and so on. Yup, they'll all need to be hardened, if the vendors can come up with a good solution to the problem. IPv6 services appear to be more affected by the fact that they require more resources and are no more secure since they still reside on top of an unhardened TCP stack.
Jack and Robert are both trying to be as forthcoming as possible with the affected vendors without giving any specific information on how the attack works to the public at large -- openly acknowledging how dangerous the attack really is. Their hope is that the vendors appreciate the problem and come up with fixes that may not be initially obvious to them. I asked Robert when they planned to release their tool, to which he said he wasn't sure he would "ever release sockstress." The details, however, will be forthcoming once vendor patches are available. There are no mitigating short-term fixes, folks.
I feel winter slowly coming, and it would be a shame if entire power grids could be taken offline with a few keystrokes, or if supply chains could be interrupted. I hear it gets awfully cold in Scandinavia.
- RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading.
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
Subscribe to RSSInsider Threat Reports
How to Prevent an Illicit Data Dump
There are no silver bullets when it comes to protecting company and customer data from loss or theft, but there are technological and procedural systems that will go a long way toward preventing a WikiLeaks-like data dump. Here are some tips and tricks to help protect your organization's most sensitive information.
Email and Data Loss
Email encryption, rights management, email gateways, and full-on data loss prevention systems can keep corporate data secure. Here's a look at the pros and cons of each, to help you determine what?s best for your business.
An Insider Threat Reality check
Heightened concern that users could inadvertently expose or leak -- or purposely steal -- an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. In this special retrospective of recent news coverage, Dark Reading takes a look at how organizations are handling the threat -- and what users are really up to.
Other reports from the Insider Threat Tech Center:
Related Content
| Sponsored by: |  |
Protection from Insider Threats
Preventing data misuse by trusted users is the most difficult information protection challenge. Insiders already have full authorization to the data, making traditional IT secure methods in effective. Learn about a more powerful security approach and proven strategies to prevent insider misuse.
Strategies for Protecting Intellectual Property
A company's intellectual property (IP) represents a significant portion of assets and a critical component of competitive differentiation, but the potential value of any IP is directly linked to its limit of acceptable use. Learn how you can put your IP to work within collaborative environments without undue risk and maximize competitive advantages.
Protecting Against WikiLeaks Type Events and the Insider Threat
The sensitive information supplied to WikiLeaks and other social justice websites comes from trusted insiders. Get the answers to the open gaps left in the WikiLeaks story and learn how you can prevent insider threats that are just as detrimental in your organization.
Insider Threat: An Inside Look at a Fortune 100 Company's Prevention Program
The ways and means by which a privileged user can successfully steal proprietary data today is staggering. One venerable company that suffered a devastating incident decided to do something about it. Find out how it built one of the most productive insider threat prevention programs in the Fortune 100.
Protection of Intellectual Property and Trade Secrets across a Global Enterprise
As a designer and manufacturer of industrial technology, this Fortune 50 company knew that securing their intellectual property (IP) and trade secret data was essential. It created a program to identify risks to their IP and trade secrets and soon caught a privileged user attempting to compromise IP. Download this case study to see a real example of intellectual property protection at work.
Insider Threat Newsfeed
- Trend Micro Pioneers Integration Of Data-Loss Prevention (DLP) Across The Enterprise
- User-Generated Content Singled Out In Military Dating Hack
- ICSA Labs Launches First Testing Program Of VPN Security For Mobile Device
- NetIQ Minimizes Risk Of Unauthorized Access And Entitlement Creep
- Shape Security Closes $6 Million Series A Funding Round
- European Online Fraud Increases 60%
MORE NEWSFEED >>>
- Big Data at High Speed: Complex Event Processing at 10x
- Unlock the Value of Your Business Data: IBM's Integration Solution for .NET Environments
- Best Practices in SMB Desktop Virtualization
- Thriving in a Multi-Platform World: Integrating Mobile Device Management into Your Overall Security Strategy
- How to Build a Next-Generation Big Data Architecture
