Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/30/2008
03:13 PM
Commentary
Commentary
Commentary
50%
50%

New DoS Attack Is a Killer

Things are a-brewin' in Sweden. Sweden is not just home of the infamous bikini team, it is also the home of Outpost 24, an equally sexy software-as-a-service network scanning service, and the employer of my friend Robert E. Lee and his colleague Jack C. Louis. These guys are the inventors of UnicornScan, a user-land TCP stack turned into a port scanner. Never heard of it? Use Nmap exclusively? Well if you run Linux, I suggest checking

Things are a-brewin' in Sweden. Sweden is not just home of the infamous bikini team, it is also the home of Outpost 24, an equally sexy software-as-a-service network scanning service, and the employer of my friend Robert E. Lee and his colleague Jack C. Louis. These guys are the inventors of UnicornScan, a user-land TCP stack turned into a port scanner. Never heard of it? Use Nmap exclusively? Well if you run Linux, I suggest checking it out, especially if missed ports in your portscan is inexcusable. But I digress.Robert and Jack are smart dudes. I've known them for years, and they've always been one step ahead of the game. A couple of years ago, Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned. A few experiments, tons of reading through documentation, and one mysteriously named tool called "sockstress" later, and the two are now touting a nearly universal denial-of-service (DoS) attack that can be performed on almost any normal broadband Internet connection -- in just a few seconds.

How bad is it? Well, in an interview --- (fast-forward five minutes in to hear it in English), the two were asked if they could take out a data center. While they've never tried, it appears to be a totally plausible attack. Worse yet, unlike most DoS attacks, the machines often do not come back online once the attack is over. The victim system just doesn't respond any more. Great, huh?

Robert and I talk a lot, and I asked him if he'd be willing to DoS us, and he flatly said, "Unfortunately, it may affect other devices between here and there so it's not really a good idea." Got an idea of what we're talking about now? This appears not to be a single bug, but in fact at least five, and maybe as many as 30 different potential problems. They just haven't dug far enough into it to really know how bad it can get. The results range from complete shutdown of the vulnerable machine, to dropping legitimate traffic.

The two researchers have already contacted multiple vendors since the beginning of September (I've had a small hand in getting them in contact with one of the vendors). Robert and Jack are waiting with no specific timeline to hear back from the affected TCP stack vendors. Think firewalls, OSes, Web-enabled devices, and so on. Yup, they'll all need to be hardened, if the vendors can come up with a good solution to the problem. IPv6 services appear to be more affected by the fact that they require more resources and are no more secure since they still reside on top of an unhardened TCP stack.

Jack and Robert are both trying to be as forthcoming as possible with the affected vendors without giving any specific information on how the attack works to the public at large -- openly acknowledging how dangerous the attack really is. Their hope is that the vendors appreciate the problem and come up with fixes that may not be initially obvious to them. I asked Robert when they planned to release their tool, to which he said he wasn't sure he would "ever release sockstress." The details, however, will be forthcoming once vendor patches are available. There are no mitigating short-term fixes, folks.

I feel winter slowly coming, and it would be a shame if entire power grids could be taken offline with a few keystrokes, or if supply chains could be interrupted. I hear it gets awfully cold in Scandinavia.

- RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
telecom2k3
50%
50%
telecom2k3,
User Rank: Apprentice
6/22/2019 | 10:48:45 PM
Massive SMTP Server Attacks
I've been noticing a high number of SMTP connection attempts over the last two days.  These attacks are global, but from the US, the Top Offenders are:

 

- Dremhost

- Digital Ocean

- Amazon Web Services

 

Gotta be some exploit going on.  Is anybody else seeing this?
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13116
PUBLISHED: 2019-10-16
The MuleSoft Mule runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections.
CVE-2019-17664
PUBLISHED: 2019-10-16
NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option, Ghidra will try to ex...
CVE-2019-17665
PUBLISHED: 2019-10-16
NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it loads jansi.dll from the current working directory.
CVE-2019-17435
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk before installation.
CVE-2019-17436
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.