'[ISN] FRAGILE: Handle With Care'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] FRAGILE: Handle With Care
From:       InfoSec News <isn () c4i ! org>
Date:       2001-06-28 11:32:46
[Download RAW message or body]

UNIX SECURITY --- June 28, 2001
Published by ITworld.com -- changing the way you view IT
___________________________________________________________________

Denial of Service
By Carole Fennelly

Steve Gibson, founder and president of Gibson Research Labs, has
ignited some controversy over his warnings that native raw socket
support in Windows XP could cripple the Internet by facilitating
Denial of Service (DoS) attacks (http://grc.com/dos/winxp.htm). Gibson
states that by natively supporting raw sockets ? already present in
Unix-based operating systems and, possibly, in modified Windows
systems -- "Nothing more than the whim of a 13-year old hacker is
required to knock any user, site, or server right off the Internet."

I think Gibson is overestimating the skill set required to DoS
someone.  My site recently fell victim to a form of Denial of Service
that required no technical skills whatsoever and kept our T1 down for
days.  The hackers? A bunch of vandals calling themselves "squirrels".
That's right, those cute little critters with the big fuzzy tails.

It seems that these little rogues are not content with acorns, but
also enjoy gnawing through the cable insulation and exposing the wires
inside to the elements. The local cable splicers quite
matter-of-factly acknowledged that the old wiring - intended for basic
phone service - really couldn't support modern data requirements. Many
areas have been updated to shielded cable, but post dot-com cutbacks
have resulted in limited budgets for upgrading something as boring as
cable. Offering a sexy new wireless service instead is much more
exciting.

I've heard dozens of stories about mundane glitches bringing down
corporate LANS or individual connections; most commonly, an ISP goes
out of business. Yet, we continue to build upon an infrastructure
founded in quicksand. It's amazing it works at all, really.

In spite of Microsoft's less-than-stellar security track record,
native support for raw sockets in Windows XP does not introduce a new
exposure. Windows libraries are publicly available to support raw
sockets today. For years, people have beaten Microsoft up because they
implemented standards selectively, or with extensions. In this case,
those same people are beating Microsoft up for finally following an
RFC.

DoS attacks do not require sophisticated skills, but they are a very
real threat. The addition of raw socket support to Windows XP could
possibly provide a wider base to launch such attacks, but trying to
halt DDoS by castrating the protocol is like trying to stop the tide
with a few sandbags. The infrastructure of the Internet needs to be
bolstered so attacks can be countered, or at least traced. How many
ISPs employ egress filtering to curtail spoofed addresses leaving
their network? Whatever happened with implementation of IPv6 - a
stronger protocol that would solve many of these problems? Sure, none
of these measures on their own is enough to stop DDoS, but it is a far
better use of time to develop a stronger, more stable infrastructure
than to restrict Microsoft from including support that is already
available in other platforms.

Like the wiring in my neighborhood, the Internet was never intended to
handle what is being demanded of it. Upgrading the infrastructure of
the Internet is like repairing the plumbing in your house:  messy,
expensive, and with nothing pretty to show for it. However, the
alternative is much worse. The answer is not to prevent attacks but to
fix an infrastructure that is so fragile a bunch of squirrels could
take it down.

About the author(s)
-------------------
Carole Fennelly is a partner in Wizard's Keys Corporation, a company 
specializing in computer security consulting. She has been a Unix 
system administrator for almost 20 years on various platforms, and 
provides security consultation to several financial institutions in the 
New York City area. She is also a regular columnist for Unix Insider
(http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or 
reach her at carole.fennelly@unixinsider.com.
________________________________________________________________________________

ADDITIONAL RESOURCES

Dave Dittrich's DDoS page (lots of good stuff here):
http://staff.washington.edu/dittrich/misc/ddos/

Have Script, WIll Destroy (Lessons in DoS) by Brian Martin
http://www.attrition.org/~jericho/works/security/dos.html

Another router failure troubles US data link:
http://it.mycareer.com.au/breaking/2001/06/19/FFXDBL4K4OC.html 

When ISPs Pull the Plug
http://www.itworld.com/Man/3918/NWW010427pilotcrash/

Wall St. Woes hit IT:
http://www.itworld.com/Man/3918/CWD010416STO59602/

Good article on egress filtering by Brian McWilliams:
http://www.newsbytes.com/news/01/166814.html

Diary of an IPv6 Tester
http://www.nwfusion.com/reviews/2000/0925rev.html

Captus Networks offers a product that they claim will protect sites 
from DoS and 
DDoS attacks:
http://www.captusnetworks.com/

Syncookies are another mechanism to limit resource starvation:
http://cr.yp.to/syncookies.html
________________________________________________________________________________
Copyright 2001 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe@SecurityFocus.com.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic