Sockstress
Back in good old 2008, a researcher at the security firm Outpost24 - Jack C. Louis; found a crucial DoS vulnerability in the fundaments of TCP/IP.
In fact, it turned out to be so powerful, that all major operating systems appeared to be vulnerable.
"Sockstress is a program that is used to attack servers on the Internet and other networks utilizing TCP, including Windows, Mac, Linux, BSD and any router or other internet appliance that accepts TCP / BGP connections." - Wikipedia
...Pretty much all of the Internet was vulnerable.
A good friend of mine, Johan Edholm, attended the Sec-T conference in Stockholm.
He was listening to the Sockstress-speech whom later on informed me about it.
A few weeks later, I managed to pull a PoC off.
So here it is folks! The Internet should be pretty patched up by now (hopefully).
Download: sockstress.zip
My PoC do not pull off zero-window TCP connections - however it should be rather easy for you to add.
I remember, it wasn't needed for Windows Vista to BSoD. So have fun!
Even if your system wont lockup / freeze / reboot it will still be a powerful DoS.
It's way more powerful than a regular SYN-flood due to the fact you can hold the connections alive in user-land.
For those of you who aren't informed, this picture should tell you the design of the attack:
...With other words, you spoof valid TCP connections.
Your target sees them as legit, and holds them open.
You on the other hand, discards them - or holds them in user-land for experimental purposes (like null-windows).
Conclusion:
My proof of concept is made up of 3 perl scripts:
- cannon.pl:
Cannon is a regular TCP port scanner.
Once it finds an open port, it executes silverstress.pl. - silverstress.pl:
Silverstress launches (by default) 4 sockstress forks.
Distributed evenly over the amount of packets to send, source-port(s) and TCP/SYN sequence. - sockstress.pl:
Sockstress sniffs for incomming SYN/ACK packets - analyzed them, and sends back a valid bunch ACK-packets.
Hence, establishing the connections.
In order to disallow *NIX to send back ACK/RST's (it doesn't take kindly to arbitrary SYN/ACK packets)
You should run the following snippet:
iptables -A OUTPUT -p tcp --tcp-flags RST,ACK,SYN RST -j DROP
Basically, it just filters the away the bad traffic.
That's it. Nothing fishy.
See it as an OSI4 Slowloris!
I hope you enjoyed it.
Please tell me if you find any other nifty use of it (and don't complain too much on my perl skills, atleast it works)!
Cheers!
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.