A serious TCP/IP Vulnerability known as “SockStress†has been found, exploited, and information released by a Security group called Outpost24. This latest vulnerability not only has severe implications for many web masters, designers and programmers, but also affects routing servers and any system with TCP stack processes exposed to the outside world. After the latest DNS poisoning vulnerability, webmasters seem on edge about how insecure the very foundations of the internet are (mainly due to being created before security was even thought of). Sockstress is the name of the tool created by Outpost24, which they are still testing before releasing it. They have, however, walked through how the attack could be achieved in great detail. Some security experts have showed concern over how they handled the information released. The sockstress attack seems to be limited to the TCP stack, but mixes several techniques to allow a very low-bandwidth hacker to deplete local resources (memory, swap file and even kernel file abuse). Just a few packets a second and a little amount of time are needed to take down a server. As little as nine packets and a few minutes are all that is suggested to be needed! Lack of timing of the TCP/IP stack and, more specifically, kernel’s response seems to be the most deciding factor. A “Badly designed TCP stack†is referred to and after the 3-way handshake (syn cookie verification and acknowledgment) has completed, resources can be exploited!… “The worst thing we ever had happen, was, we had Windows reboot and say ‘Operating system not found’†In theory, a syn cookie validation process could be cycled. Sending for verification and acknowledgment, then a “no buffer space†response could be sent from the attackers end. This would force the target to allocate more resources to the attackers cycled process, with severe consequences. Please bear in mind that this is not a syn packet attack attack! (the magic happens after the syn ack) This can result in a denial of service (Dos) by TCP servers (www, ftp, tftp, smtp, pop, etc.) running on Windows, Linux, BSD, certain routing servers, and other Internet applications and protocols! An excerpt from Outpost24’s website, claims: You can read more about the Sock stress talks here: T2 Schedule or T2’s 08 Conference. Get A Freelancer has a project asking for the tools creation. How long until someone makes it public? You can listen to a podcast about the sockstress vulnerability in several formats, listed below: The wonderful guys at GRC (proud Twit army addict myself) have have hosted the interview, just in case the original goes down. Thanks Steve! [ 44 min, 10 sec - 128 kbps - 41.1 MB ] http://debeveiligingsupdate.nl/audio/bevupd_0003.mp3 Code (markup): [ 44 min, 10 sec - 16 kbps - 5.3 MB ] http://media.grc.com/mp3/Whole_SockStress_Mono_16kbps.mp3 Code (markup): [ 38 min, 59 sec - 64 kbps - 18.7 MB ] http://media.grc.com/mp3/Trimmed_SockStress_Mono_64kbps.mp3 Code (markup): [ 38 min, 59 sec - 16 kbps - 4.7 MB ] http://media.grc.com/mp3/Trimmed_SockStress_Mono_16kbps.mp3 Code (markup): A full transcript is available from CurbRisk.com : Outpost24’s TCP - Denial Of Service vulnerability interview transcript At time of posting, there is currently no known work around or fix for this issue. The authors seem to be white hat and want to help vendors resolve the issues. But, like the rest of us, know the internet has a long way to go before being secure. Sockstress has now also been entered into the NIST CVE database. The list of affected platforms is staggering! It is widely accepted that “the community†prefers to find workarounds for the flawed foundations of the internet and associated protocols. But would it not be better if, knowing as much about security as we do now, the internet was written from the ground up? Yes, it is impossible. But I think it would be the only way to make serious, major exploits like this and the recent DNS poisoning exploits avoidable. [ Original article from my Tech Blog ]