DDOS Trends Changing – More Effective Attack Classes.

Posted · 1 Comment

I will giving an interview today that the industry has done a poor job in communicating the changes in Denial of Service (DOS) attacks. CERT-FI‘s release of the “Sockstress” details yesterday has a few people confused.  Outpost24 discovered some new TCP state abuse technique which can cause a range of issue on a TCP stack (see CERT-FI’s release details). It is a serious issue. But, if it is serious, why is there not a lot of attention on this attack vector.

The answer is simple. There is a lot of attention – TCP Connection Oriented State abuse is real. There is a real TCP state DOS threat. It is just not generally visible to the public.

In fact, the TCP Connection Oriented  State attacks more real than the general IT industry realizes. Why? Cyber-Criminal Market Dynamics!

Go back to 2006. In those days, a cyber-criminal would plan a extortion attack. “Pay me big buck by this date or I’m going to DOS you to oblivion.” To demonstrate the threat is real, the cyber-criminal would provide a demonstration, whacking the victim with a TCP SYN flood which would overwhelm the site’s ability to respond via TCP (TCP table s full). The TCP flood would take up all the target’s bandwidth to the Internet. To achieve this, the cyber-criminal would need to put more bandwidth at the target then the bandwidth available to the target (i.e. throw 1 Gbps of attack traffic down a 155 Mbps link). This overload would trigger a second set of events. The “demonstration” would send way too many TCP SYNs, filling up the bandwidth to the victim, back pressuring on the Service Provider’s PE router, and creating collateral damage on the SP’s other customers. This collateral damage wakes up the sleeping giant – with a SP’s SLA getting violated and forcing them to act. Now the cyber-criminal is dealing with their “target” and the target’s SP. The SP can and will throw want ever resource available to insure their SLAs to the range of the customers to not get violated. The victim gets help (or gets offered a ‘clean pipes’ service). In the end, the cyber-criminal’s pay off of “big bucks” is disrupted. All because their TCP State attack threw to many packets at the target. What they need was a better tool.

Fast forward to July 2009. A new BOTnet starts an attack on a range of US Government, commercial and Korean sites. The press goes wild with “North Korean cyber-warefare.” What is missed is that this attack is effective and not choking up bandwidth. This July 2009 attack is typical of what is seen today – a crafted TCP Connection Oriented State attack which is not a SYN flood. The malware in the BOTNET is designed to use a variety of TCP techniques – some simple (open a TCP connection and tickle it to keep it alive) and TCP abusive (attacks highlighted by Outpost24, Phrack, and others). All these techniques are designed to fill up a target’s “state table.” This state table can be a server (web, voice, application), a firewall, a load balancer, a reverse cache or any other device which terminates TCP State. The core principle of these sort of TCP State attack are to keep TCP connections open and alive. The more TCP connections you can keep open, greater the chance you will fill up the TCP state table – allowing no new TCP connection into the system – completing the DOS attack. The advantage with this class of TCP State attacks is that you do not need a lot of bandwidth. TCP SYN floods FIFO (First In First Out) the TCP state table, which is why it requires a lot of packets. Connection oriented TCP state attacks just need to open the session and keep the session open, needing far fewer packets.

Far fewer packets mean you are not flooding the target’s links to the Internet. Not flooding the links to the Internet means no collateral damage on the SP’s infrastructure or customers. The SP’s SLA is not violated, hence, the SP is not motivated to jump into the middle of the attack.  In essence, the cyber-criminal’s goal is complete. They can now threaten the target with “Pay me big buck by this date or I’m going to DOS you to oblivion” without the big SP getting into the way of the “big bucks.”

The obvious next question is “if this is so easy, why isn’t it happening more often?” We’ll get to that in the next article. There are a range of factors – some economic, some technology, and some based on the dialectic with the community which mitigates wide spread extortion, retribution, and vindictive TCP Connection Oriented  State Attacks from being more widely used.

For now, anyone who is really interested in this topic should download and read Security Assessment of the Transmission Control Protocol (TCP) by Fernando Gont and sponsored by the UK CPNI (Centre for the Protection of National Infrastructure). http://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx

  • http://www.IntelliGuardit.net IntelliGuard

    There does appear to an increase in smarter connection based attacks which firewalls, IPS’s and DDoS defense appliances do not appear to be able to defend against. The reason that first generation DDoS defense appliances fail is because they rely primarily on Signature based methodologies which look for bad traffic. The new attacks don’t look like bad traffic and so signatures and “fingerprints” are useless to for stopping them. But it is quite easy to stop them with the appropriate defense product.