DOS Trends Are Changing – More Effective Attack Classes.

Posted on

Yes, DOS trends are changing.  CERT-FI‘s release of the “Sockstress” details yesterday has a few people confused.  Outpost24 discovered some new TCP state abuse technique which can cause a range of issue on a TCP stack (see CERT-FI’s release details). It is a serious issue. But, if it is serious, why is there not a lot of attention on this attack vector?

The perception that nothing has been done is incorrect.  CERT Teams and industry leaders who know about TCP overload attack vectors have been paying attention. TCP Connection Oriented State abuse is real. There is a real TCP state DOS threat. It is just not generally visible to the public. The vector has been known as TCP saturation attacks, TCP State Overload Attacks, and TCP RST attacks.  

The reality is that TCP Connection Oriented  State attacks more real than the general IT industry realizes. Why? Cyber-Criminal Market Dynamics!

Go back to 2006. In those days, a cyber-criminal would plan an extortion attack. “Pay me big buck by this date or I’m going to DOS you to oblivion.” To demonstrate the threat is real, the cyber-criminal would provide a demonstration, whacking the victim with a TCP SYN flood which would overwhelm the site’s ability to respond via TCP (TCP table s full). The TCP flood would take up all the target’s bandwidth to the Internet. To achieve this, the cyber-criminal would need to put more bandwidth at the target then the bandwidth available to the target (i.e. throw 1 Gbps of attack traffic down a 155 Mbps link). This overload would trigger a second set of events. The “demonstration” would send way too many TCP SYNs, filling up the bandwidth to the victim, back pressuring on the Service Provider’s PE router, and creating collateral damage on the SP’s other customers. This collateral damage wakes up the sleeping giant – with an SP’s SLA getting violated and forcing them to act. Now the cyber-criminal is dealing with their “target” and the target’s SP. The SP can and will throw want every resource available to ensure their SLAs to the range of the customers do not get violated. The victim gets help (or gets offered a ‘clean pipes’ service). In the end, the cybercriminals pay off of “big bucks” is disrupted. All because their TCP State attack threw to many packets at the target. What they need was a better tool.

Fast forward to July 2009. A new BOTnet starts an attack on a range of US Government, commercial and Korean sites. The press goes wild with “North Korean cyber-warfare.” What is missed is that this attack is effective and not choking up bandwidth. This July 2009 attack is typical of what is seen today – a crafted TCP Connection Oriented State attack which is not an SYN flood. The malware in the BOTNET is designed to use a variety of TCP techniques – some simple (open a TCP connection and tickle it to keep it alive) and TCP abusive (attacks highlighted by Outpost24, Phrack, and others). All these techniques are designed to fill up a target’s “state table.” This state table can be a server (web, voice, application), a firewall, a load balancer, a reverse cache or any other device which terminates TCP State. The core principle of these sort of TCP State attack is to keep TCP connections open and alive. The more TCP connections you can keep open, greater the chance you will fill up the TCP state table – allowing no new TCP connection into the system – completing the DOS attack. The advantage with this class of TCP State attacks is that you do not need a lot of bandwidth. TCP SYN floods FIFO (First In First Out) the TCP state table, which is why it requires a lot of packets. Connection-oriented TCP state attacks just need to open the session and keep the session open, needing far fewer packets.

Far fewer packets mean you are not flooding the target’s links to the Internet. Not flooding the links to the Internet means no collateral damage to the SP’s infrastructure or customers. The SP’s SLA is not violated, hence, the SP is not motivated to jump into the middle of the attack.  In essence, the cybercriminal’s goal is complete. They can now threaten the target with “Pay me big buck by this date or I’m going to DOS you to oblivion” without the big SP getting into the way of the “big bucks.”

The obvious next question is “if this is so easy, why isn’t it happening more often?” We’ll get to that in the next article. There is a range of factors – some economic, some technology, and some based on the dialectic with the community which mitigates widespread extortion, retribution, and vindictive TCP Connection Oriented  State Attacks from being more widely used.

For now, anyone who is really interested in this topic should download and read Security Assessment of the Transmission Control Protocol (TCP) by Fernando Gont and sponsored by the UK CPNI (Centre for the Protection of National Infrastructure). http://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.