Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jan 2000 15:15:16 -0600
From:      Tim Yardley <yardley@uiuc.edu>
To:        freebsd-security@FreeBSD.ORG
Subject:   Fwd: multicasts from hell
Message-ID:  <4.2.0.58.20000125151430.01234f10@students.uiuc.edu>

next in thread | raw e-mail | index | archive | help
Thought this might interest some of you... since all the multicast talk is 
going on.

/tmy

>Approved-By: aleph1@SECURITYFOCUS.COM
>Delivered-To: bugtraq@lists.securityfocus.com
>Delivered-To: bugtraq@securityfocus.com
>X-Sender: yardley@students.uiuc.edu
>X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
>Date:         Tue, 25 Jan 2000 09:39:47 -0600
>Reply-To: Tim Yardley <yardley@UIUC.EDU>
>Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
>From: Tim Yardley <yardley@UIUC.EDU>
>Subject:      multicasts from hell
>X-To:         bugtraq@securityfocus.com
>To: BUGTRAQ@SECURITYFOCUS.COM
>
>a new look... multicasts from hell.. courtesy of spank.c
>by Tim Yardley [yardley@uiuc.edu -- lst @ efnet]
>
>---------------------------------------------------
>:: temp remedy (exec summary)
>---------------------------------------------------
>
>If you use ipfilter... This *MAY* help you... but the issue is quite a bit
>different than the previous issue.
>
>-- start rule set --
>block in quick proto tcp from any to any head 100
>block in quick proto tcp from 224.0.0.0/28 to any group 100
>pass in quick proto tcp from any to any flags S keep state group 100
>pass out proto tcp from any to any flags S keep state
>pass in all
>-- end rule set --
>
>optionally, a rule like the following could be inserted to handle outgoing
>packets (if they send from the firewall somehow) but you have bigger
>problems than the attack if that is the case.
>
>-- start additional rule --
>block out proto tcp from any to 224.0.0.0/28
>-- end additional rule --
>
>That will help you "stop" the attack (actually it will just help minimize
>the affects), although it will still use some CPU though
>
>Note: If you use IPFW, there is no immediate way to solve this problem due
>to the fact that it is a stateless firewall and you are dealing with
>packets that are being forged with invalid (or possibly even valid
>flags).  You can however use IPFW or any other firewall to block out
>packets from multicasts.  If you are getting attacked, then temporarily use
>ipfilter (or any other state based firewall) to slow the affects, ie keep
>track of the states.  Otherwise, wait for vendor patches or read more about
>the explanation for other possible workarounds.
>
>-- ipfw rule for multicasts (with cars for the command and interface --
>change accordingly) ---
>$fwcmd add deny all from 224.0.0.0/28 to any via ${oif}
>-- end ipfw rule --
>
>FreeBSD "unofficial patch" by Don Lewis:
>http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff
>
>------------------------------------------------
>:: explanation of spank.c attack
>------------------------------------------------
>
>NOTE: For this attack to work, you must have multicast enabled on the
>network that you are attacking from, otherwise the packets should just get
>dropped.  The adverse affect of this, is that it seems to destroy the local
>net, and the affect on the remote net is unknown (since the localnet dies
>too quickly).  This could become a problem with distributed DoS systems
>because if a host on your internal net is compromised, then they can bring
>your entire internal net down to a screaching halt.
>
>This is a tad different than the previous release.  Stream/Raped mearly
>flooded the host with ack's (or no flags) and came from random ips with
>random sequence numbers and/or ack numbers.  The difference now is that
>this not only does the previous stuff, but also directly attacks from and
>to multicast addresses as well. There are also options to randomize the
>attack more. Just as before, rate limiting should be done to counteract its
>effect (the same idea as ICMP_BANDLIM).. and also the multicast handling in
>the stack should be checked to verify that it is behaving properly.
>
>The attacker specifies the port[s] that they want to send the attack to,
>depending on what ports are selected, you will have different net
>results.  If the port is an open port, then you will possibly have a longer
>kernel path to follow before the drop.  Therefore, a smart attacker will
>hit open ports, but havoc can also come about from random ports due to
>states and processing.
>
>In the best case scenario, you will experience only the lag of the flood
>and the lag of the processing (currently) and then be fine when the
>attacker stops,  In the worst case, you lockup, kill the network, and
>possibly have to reboot.  Once you patch it, you deal with a lot less
>processing time (the drops are handled without the RST flag when
>appropriate -- bandlim type idea).  In other words, you go to the drop
>routine instead of dropwithrst silencing your response, which decreases
>your processing time, the hit on your network, and the effect of the flood
>(once a threshold is reached, all those bad packets are silently dropped
>and the attack has less of a net effect).  There are issues with not
>producing RST's since they were put into the specs for a reason, so blindly
>dropping all RST's is not a good plan.
>
>The filters that were presented at the beginning of this email will block
>all multicast packets that come in (and possibly out) of the tcp stack.  I
>have been getting mailed a lot about the previous attack.  It should be
>noted that receiving a packet with no flags is considered an illegal packet
>(obviously) and is often dumped, however, as we have seen in the past..
>illegal packets often wreak havoc and often go untested.  Hence the
>reasoning behind the '-r' flag of this.
>
>There is very little that "raped.c" or "stream.c" actually showed as
>problems in the TCP/IP stacks.  The true problem lies more in the effects
>of the response (caused by the attack).  This is the same concept as the
>SYN floods of yesteryear, and the same type of thing will be done to handle
>it.  The main difference is that it will be on a simpler note because there
>isn't much need for a "cookie" based system.  One should just throttle the
>response of the reset packets which in turn will help stop the storm that
>you generate and in general, harden the tcp/ip stack to behave the way it
>is supposed to in adverse conditions.
>
>The main effect of this attack is that you are shooting back RST+ACK's at
>all the spoofed hosts.  In the case of the new attacks, this happens to
>mean that you are directing them at multicast addresses.  Obviously, a lot
>of these hosts will not exist and you will get ICMP unreaches (as an
>example) bounced back at you.  There are other possibilities as well, but
>unreach would be the most common (redirects might be common as well
>although i did not spend the time to analyze that).  The ones that don't
>respond back may send you some packets back as well (depending on if the
>port was valid or not and what their firewall rules are).  This type of
>attack is complicated by the multicasts, and the effect is amplified as
>well.  All in all, it becomes very nasty very quick.  Basically, this
>causes a nice little storm of packets, in the ideal case.
>
>Note that I said ideal case in the previous paragraph.  This is not always
>the observed behavior.  It all depends on what is on the subnet, what type
>of packets are recieved, what rules and filters you have setup, and even
>the duration of the flood.  It has been pointed out several times that the
>machine will go back to normal once the attack is stopped, which is exactly
>why something like ICMP_BANDLIM will work.
>
>I have also been asked a lot about what this "bug" affects.  I have seen it
>have effects on *BSD, Linux, Solaris, and Win* as far as OS's go (due to
>the previous stuff).  The new multicast code seems to affect the local lan
>(routers, gateways, and switches) more so than it affects anything else but
>due to how it works (when it works), it is somewhat difficult to
>test.  Therefore, no blame is being directly placed on any specific
>platform or architecture.  Entire subnets have "disappeared" briefly after
>the attack and have required route purgings to correct the issue.  The
>multicast attack seems to be more deadly to the network than the previous
>attack and its affects get amplified and even carried over to the rest of
>the network (bypassing secluded network bounds).  I don't have more
>specifics on the systems affected because of the difficulty in testing it
>(and keeping the network up) since I do not have local access to the
>networks that I tested on, and remote access gets real ugly real
>fast.  Everyone elses mileage may vary... but I have seen results under 2
>different types of configurations.
>
>Another possibility that has been suggested as to why some machines die is
>that the machine's route table is being blown up by the spoofed
>packets.  Each spoofed packet has a different source address which means
>that a temporary route table entry is being created for each one.  These
>entries take time to timeout.  Use 'vmstat -m' and check the 'routetbl'
>field while the attack is going on.
>
>Route table entries can be controlled somewhat under freebsd with:
>
>[root@solid]::[~] sysctl -a | fgrep .rt
>net.inet.ip.rtexpire: 3600
>net.inet.ip.rtminexpire: 10
>net.inet.ip.rtmaxcache: 128
>
>You can do the following, to help if the route table is at least part of
>the problem:
>
>sysctl -w net.inet.ip.rtexpire=2
>sysctl -w net.inet.ip.rtminexpire=2
>
>Things that will help:
>
>1 -- drop all multicast packets (ingress and egress) that are addressed to
>the tcp stack because multicasts are not valid for tcp
>2 -- extend bandwidth limiting to include RST's, ACK's and anything else
>that you feel could affect the stability of the machine.
>3 -- dont look for listening sockets if the packet is not a syn
>
>I hope that this helps, or explains a little more at least.
>
>-----------------------
>:: conclusion
>-----------------------
>
>This bug was found in testing.  It seems a bit more lethal than the
>previous and should be addressed as such.  Patches should be available now,
>but I do not follow all the platforms.
>
>--------------------
>:: references
>--------------------
>
>This was done independantly, although some of the analysis and reverse
>engineering of concept was done by other people.  As a result, I would like
>to give credit where credit is due.  The following people contributed in
>some way or another:
>
>Brett Glass <brett@lariat.org>
>Alfred Perlstein <bright@wintelcom.net>
>Warner Losh <imp@village.org>
>Darren Reed <avalon@coombs.anu.edu.au>
>Don Lewis <Don.Lewis@tsc.tdk.com>
>
>Also, I would like to send shouts out to w00w00 (http://www.w00w00.org/)
>
>-------------------
>:: attached
>-------------------
>These programs are for the sake of full disclosure, don't abuse
>them.  Spank was written with libnet, so you will need to obtain that as well.
>
>for an "unofficial" patch:
>http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff
>
>for spank.c:
>http://solid.ncsa.uiuc.edu/~liquid/code/spank.c
>
>NOTE: These are just temp locations.  They will not be there forever and I
>reserve the right to remove them at anytime.
>
>/tmy
>
>
>-- Diving into infinity my consciousness expands in inverse
>    proportion to my distance from singularity
>
>+--------  -------  ------  -----  ---- --- -- ------ --------+
>|  Tim Yardley (yardley@uiuc.edu)
>|  http://www.students.uiuc.edu/~yardley/
>+--------  -------  ------  -----  ---- --- -- ------ --------+


-- Diving into infinity my consciousness expands in inverse
    proportion to my distance from singularity

+--------  -------  ------  -----  ---- --- -- ------ --------+
|  Tim Yardley (yardley@uiuc.edu)	
|  http://www.students.uiuc.edu/~yardley/
+--------  -------  ------  -----  ---- --- -- ------ --------+




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000125151430.01234f10>