Attack Type: Sockstress Description: This attack was originally thought of by Jack Louis. Before he was able to present the attack at a convention (such as DefCon or Blackhat) he tragically died in a fire. This is a very ingenious attack. As you know, TCP has many methods of flow control that allow the connection to remain at a size both the client and server are comfortable with. One method of flow control is the altering of the “Window Size” of the packets. The Window Size signifies the maximum size packet that it can allow in response. A Window Size of 0 signifies that communication should cease until notified. So, an attacker initiates hundreds of connections to a client and sends them a packet with a window size of 0. The connection is held open in memory and waits. In fact, so many connections can be made that the RAM becomes full and the system will crash. It is not unheard of for this attack to cause irreparable damage to servers.
Mitigations: This attack is surprisingly easy to mitigate. However, almost no servers that I‟ve run into have have configured it. Basically, all you‟d have to do is drop TCP packets with a window size of 0. Also, mitigating this among other TCP attacks, you can drop packets from a source that initiates a certain number of connectiong within a certain amount of time (such as 10 connections in 10 seconds). The iptables command would be (Warning: Untested):
Code:
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent -set iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 -- hitcount 10 -j DROP Also, port 443 if you‟re running SSL. iptables -I INPUT -p tcp -m u32 --u32 "6&0xFF=0x6 && 0>>22&0x3C@12&0xFFFF=0x0200" -j DROP
-H
Houga@entropy.cat
