From owner-freebsd-security Mon Dec 4 16:28:36 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 4 16:28:17 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 0DFBE37B400 for ; Mon, 4 Dec 2000 16:28:17 -0800 (PST) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Mon, 4 Dec 2000 16:28:14 -0800 Message-ID: <00dd01c05e53$39c719e0$fd01a8c0@pacbell.net> From: "John Howie" To: Subject: Fw: NAPTHA Advisory Updated - BindView RAZOR Date: Mon, 4 Dec 2000 16:35:10 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1800 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Folks, Take note of how FreeBSD failed... john... ----- Original Message ----- From: "Steve Manzuik" To: Sent: Monday, December 04, 2000 3:09 PM Subject: NAPTHA Advisory Updated - BindView RAZOR > The NAPTHA DoS vulnerabilities > > Issue Date: November 30, 2000 > Contact: Robert Keyes > > Topic: > > Network DoS vulnerabilities > > Overview: > > A class of network DoS vulnerabilities has been discovered, and the name > NAPTHA is being used to describe them as a group. The NAPTHA > vulnerabilities are weaknesses in the way that TCP/IP stacks and network > applications handle the state of a TCP connection. > > Affected Systems: > > The Naptha DoS vulnerabilities "Tested Products" > > Impact: > > By creating a suitably large number of TCP connections and leaving them in > certain states, individual applications or the operating system itself can > be starved of resources to the point of failure. In the past, attacks that > would exploit TCP connections in this manner have not been implemented > because they would typically exhaust the resources of the attacker as > well. The innovation provided by the Naptha attack is that it is possible > to easily create a DoS on the target with little resource consumption on > the part of the attacker. > > Background: > > DoS > A denial of service attack is a purposeful action to significantly degrade > the quality and/or availability of services a system offers. > > DoS->RS > Resource Starvation is a type of denial of service attack. Here is where > we need to define the difference between an attack and a notable > vulnerability. With sufficient network resources available to the > attacker, any system is vulnerable to DoS->RS. > > What makes a method of DoS->RS notable is that it consumes far more > resources of the victim than resources of the attacker. A great differen ce > in resource levels indicate a vulnerability in the victim's system. The > software designed to expose this vulnerability can be called a DoS->RS > exploit. > > DoS->RS->TCP_STATE > The kernel keeps a record for every TCP connection. A large number of > connections, regardless of activity, require more memory and CPU time. It > is theoretically possible for a user on a machine with a large amount of > RAM, a fast processor, and a well-tuned operating system to overwhelm a > lesser system solely by using such standard programs as TELNET, however > the amount of resources consumed on the attacking system is large enough > so that this is not considered a serious vulnerability. > > An attack program utilizing a network API such as Berkeley Sockets is more > efficient and therefore more dangerous, but is not usually efficient > enough expose a dangerous vulnerability on the victim's system. > > Details: > > Naptha is a demonstration of an efficient DoS->RS->TCP_STATE exploit. It > is efficient because it does not use a traditional network API to set up a > TCP connection. Unlike a real TCP/IP stack, it does not keep any record of > connection state. It responds to a packet sent to it based on the flags in > that packet alone. When operated in a manner that will produce many > hundreds or thousands of connection records on the victim, it consumes > very little of the attacker's resources in comparison to the resources it > uses up on the victim's system. In this way, it can expose vulnerabilities > of a particular service, or the TCP/IP stack itself, on the victim's > system. > > Below are a few examples of the many possible Naptha weaknesses: > > - Novell's Netware 5.0 with sp1 installed locked up after 3000 > open connections on port 524. All 64MB of the system's RAM > became utilized and the CPU utilization as well maxed out at > 100%. The server still had not timed out connections and > recovered memory after 12 hours being left idle. > > - FreeBSD 4.0-REL became unusable after 495 connections to the > ssh port. Each connection started an instance of the daemon > which quickly exhausted available file handles; the system > reports "too many open files in system". After approximately 30 > minutes the connections start timing out and the system becomes > usable again. > > - Windows 2000 seems to be invulnerable. > > See the complete list of tested products at the end of this document. > > > The Workings of Naptha > ---------------------- > > The objective of this section is to describe the basic structure of > the Naptha attack so that researchers can verify our claim that such an > attack is possible and should be considered with all due seriousness. > > While there has been some previous work in this area, no one has > published or demonstrated a tool that can leave connections in any of > the various TCP states on the victim machine (ESTABLISHED and FIN-WAIT-1, > etc.) or that has a multi-component architecture (allowing one to hide > part of the attack on different hosts). > > Naptha gains much of its effectiveness through the fact that the attack > can be made in a distributed manner. > > The first part sends out a sequence of SYN packets from all possible > ports of a forged IP address to the victim. Depending on the requirements > of > the individual attack scenario, multiple copies of this program on the > same host could be used to attack different hosts, or multiple hosts could > attack a single victim. This sounds like a SYN flood, but there's more to > it. > > The second half runs on a LAN where the forged IP address would be, if it > were a real host. The program first makes sure that the router has an > entry > for this phantom host in its ARP table. Next, it listens in promiscuous > mode for a packet from the victim to the phantom host. The program > responds > with a packet with the appropriate flags and sequence numbers. Typically, > it listens for SYN/ACK packets and sends ACK. It could also set the FIN > flag and leave the connection in FIN-WAIT-1. To keep connections alive > longer, it can listen for 'regular' data packets or 'keep alive' packets > and send ACK in reply. Multiple victims could be targeted by a single > instance of this program. > > This 'phantom' nature makes it hard to track down and eliminate. > > In order to be successfully asymmetrical in its consumption of > resources, such an attack program must not set up any TCBs (Transmission > Control Blocks) in the kernel of the attacking machine. This helps to > ensure that the attacker's activities will not be directly constrained > by the client-side kernel limitations. It is also important that the > number of processes needed on the client side not grow with the number of > TCP > connections. Naptha does this by completely avoiding use of the OS's > TCP/IP stack, and instead crafts its own raw packets. In fact, in a high > rate Naptha attack, the network's bandwidth would typically be the > constraint rather than the attacking host's resources. > > Naptha also has connection rate limiting capabilities. In one variation of > the attack, connections are established at a high rate and the victim is > left with thousands of ports open, and all resources are consumed before > the connections time out. In another scenario, connections are > established at a slow rate to avoid SYN flood protections. > > The number of connections and the rate of establishment necessary to > create a DoS is dependant on a number of factors. Different operating > systems have different thresholds of connection numbers, file numbers, > process memory, etc. The application running on that port may also have > its own levels of resource control. Some applications spawn a new process > for each connection. The speed of the CPU and amount of memory in a system > also affects its resistance to a Naptha attack. Lastly, the network > itself plays its part. > > In conclusion, the Naptha attack shows how serious a resource starvation > attack can be. There is no single, clear, obvious fix for this problem > but a number of promising ideas. > > Recommendations: > > Unfortunately, most vendors are vulnerable to Naptha attacks, and until > some vendor patches come out, there is very little that can be done > outside of normal security practices. We do have a few recommendations: > > 1. Limit the amount of services running on any system you > suspect that might become victim to a Naptha attack, especially > public systems. > > 2. Limit access as to who can connect to exposed TCP ports on a > system via firewalling techniques. On public systems this may be > impractical, but it should be limited just the same if possible. > > 3. Ensure that all border equipment, such as routers and > firewalls, is properly configured and you are doing both ingress > and egress filtering. (See RFC 2267) > > 4. On Unix systems, use inetd or possibly Dan Bernstein's > tcpserver (http://cr.yp.to/ucspi-tcp.html) to limit spawned > daemon processes. While this will not prevent that particular > daemon's resources from being over utilized, it is possible to > prevent daemons from crashing the server. This may allow the > server to recover. > > 5. On systems that have adjustments for various TCP timeouts and > keepalives, these can be adjusted to potentially allow for > quicker recovery (assuming that the Naptha attack did not crash > the system). For example, the TCP keepalive settings on Linux > 2.2 kernels might help recovery time: > > # cat /proc/sys/net/ipv4/tcp_keepalive_time > 7200 > # cat /proc/sys/net/ipv4/tcp_keepalive_probes > 9 > # cat /proc/sys/net/ipv4/tcp_max_ka_probes > 5 > # echo 30 > /proc/sys/net/ipv4/tcp_keepalive_time > # echo 2 > /proc/sys/net/ipv4/tcp_keepalive_probes > # echo 100 > /proc/sys/net/ipv4/tcp_max_ka_probes > > In the above example the keepalive time is adjusted from 2 hours > to 30 seconds, and the number of keepalive probes is adjusted > from 9 to 2. It also adjusts the maximum number of probes sent > out to be 100 instead of just 5. These are suggested values -- > real world adjusts will almost certainly be required. > > 6. The programs written to demonstrate the attack have been > released only to the security contacts at OS vendors, through > CERT. The code will not be released to the public. However, the > information below will serve as a 'fingerprint' for IDS to > detect the demonstration code. Please note that the code itself > could be easily modified to change the fingerprint, so this is > NOT a failsafe method of detecting a Naptha attack. > > IP: > TOS = Low Delay > ID = 413 > TCP: > FLAGS = SYN > SEQ ID = 6060842 > WINDOW = 512 > > Snort (http://www.snort.org) is a free lightweight IDS. Here's a > Snort filter for Naptha: > > alert tcp any any <> any any (flags:S; seq: 6060842; > id: 413; msg: "Naptha DoS Attack, see > http://razor.bindview.com//publish/advisories/adv_NAPTHA.html";) > > ------------------------------------------------------------------------ > > References: > > CVE: > > The Common Vulnerabilities and Exposures (CVE) project has > assigned the name CAN-2000-1039 to this issue. This is a > candidate for inclusion in the CVE list (http://cve.mitre.org), > which standardizes names for security problems. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1039 > > CERT Advisory: > > http://www.cert.org/advisories/CA-2000-21.html > > Microsoft's security bulletin: > > http://www.microsoft.com/technet/security/bulletin/MS00-091.asp > > Microsoft Security Patch: > > NT4: > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25114 > > RFC 2267: > > http://www.faqs.org/rfcs/rfc2267.html > > "Distributed Denial of Service Defense Tactics" security paper > > Author: Simple Nomad > http://razor.bindview.com/publish/papers/DDSA_Defense.html > > "Strategies for Defeating Distributed Attacks" security paper > > Author: Simple Nomad > http://razor.bindview.com/publish/papers/strategies.html > > Snort: > > http://www.snort.org > > Dan Bernstein's tcpserver: > > http://cr.yp.to/ucspi-tcp.html > > Simson Garfinkel on Process-Table Attack > > http://www.securityfocus.com/archive/1/12636 > > Stanislav Shulanov's Netkill > > http://www.securityfocus.com/archive/1/56462 > > Contact: advisory+naptha@razor.bindview.com > > Acknowledgements: Mark Loveless and the rest of the RAZOR team. > > > ---------------------------------------------- > > > > The Naptha DoS vulnerabilities > "Tested Products" > > Note: The RAZOR team has examined > two TCP states out of many. These > states are the FIN-WAIT-1 state and > the ESTABLISHED state. More research > in this area is underway. We expect > to find a majority of operating > systems affected to some extent. > > > > Vendor Product Vulnerable? TCP state > Patch/Workaround Available? Notes > > Compaq Tru64 UNIX Yes ESTABLISHED No patch or > workaround available at this time See > V4.0F See > Recommendations Notes > > FreeBSD FreeBSD Yes ESTABLISHED No patch or > workaround available at this time See > 4.0-REL See > Recommendations Notes > > Hewlett-Packard HP-UX 11.00 Yes ESTABLISHED No patch or > workaround available at this time See > See > Recommendations Notes > > Microsoft Windows Yes FIN-WAIT-1 Workaround > available at See > 95,98,98SE > http://www.microsoft.com/technet/security/bulletin/MS00-091.asp Notes > > Microsoft Windows NT Yes FIN-WAIT-1, Patch > available at See > 4.0 SP6a ESTABLISHED > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25114 Notes > > Microsoft Windows No N/A N/A > N/A > 2000 > > Novell Netware 5 Yes ESTABLISHED No patch or > workaround available at this time See > SP1 See > Recommendations Notes > > SGI IRIX 6.5.7m Yes ESTABLISHED No patch or > workaround available at this time See > See > Recommendations Notes > > Sun Solaris 7, Yes ESTABLISHED No patch or > workaround available at this time See > 8 See > Recommendations Notes > > > ------------------------------------------------------------------------ > > Notes: > > Compaq - Tru64 UNIX V4.0F > > Two services were tested, portmapper (tcp > port 111) and finger (tcp port 79). These > services were chosen because finger runs > from inetd and portmapper runs without it. > > The Tru64 UNIX kernel appears to be > somewhat robust against Naptha attacks. > Sending twenty thousand packets to tcp > port 111 caused no obvious performance > degradation on the Tru64 UNIX host > (except that other attempts to query the > portmapper became unsuccessful). The > netstat command showed a steady-state > value of 4100 ESTABLISHED connections. > > Sending a few hundred packets to tcp port > 79, however, resulted in creation of too > many finger daemon processes for the > system to continue normal operation. > Trying to start a new process from a login > shell resulted in the error "No more > processes". It is possible that the finger > daemon attack would have been less > effective with a different inetd > configuration, or with different kernel > parameters. We did not investigate this. > > ------------------------------------------- > > FreeBSD - FreeBSD 4.0-REL > > In testing FreeBSD, a few specific > daemons/ports were targeted. For some, the > stability of the system as a whole can be > affected. The daemons targeted in this > testing are not necessarily at fault for > the problems encountered. > > SSH: > Became unusable after 495 connections to > the ssh port. Each connection started an > instance of the daemon which quickly > exhausted available file handles; the > system reports "too many open files in > system". After approximately 30 minutes > the connections start timing out and the > system becomes usable again. > > NFS: > Stopped functioning after 964 packets to > the NFS port. While the rest of the system > did not seem affected, the connections did > not time out. > > BIND: > Took 961 TCP connections before the kernel > reported "file table is full", and TCP > services failed. UDP DNS seemed > unaffected. These connections look a long > time to time out, at least an hour. > > Note: These services/ports can be > similarly affected on other Linux and UNIX > variants. > > ------------------------------------------- > > Hewlett-Packard - HP-UX 11.00 > > Two services were tested, portmapper and > telnet. These services were chosen because > telnet runs from inetd and portmapper runs > without it. > > TELNET: > HP-UX appears to have some protection. It > stops responding to Naptha packets after > several hundred from the same IP address. > However, until that time it is possible to > make telnetd respond with; "Telnet device > drivers missing: No such device". This > does recover fairly quickly, however. > > PORTMAPPER: > After several hundred Naptha TCP sessions, > a telnet session to port 111 will > immediately be disconnected. This broken > state lingers for much longer than the > telnet problem. > > ------------------------------------------- > > Microsoft - Windows 95,98,98SE > > Leaving a large number of connections in > FIN-WAIT-1 causes the NetBIOS and WWW > services on Microsoft Windows 95, 98, and > 98SE to fail and not restart. > > ------------------------------------------- > > Microsoft - Windows NT 4.0 SP6a > > Exploiting ESTALISHED states on port 139 > (netbios-ssn), caused the service to die > after 1010 packets. Port 135 (loc-srv) > died after 7929 packets. Interestingly, if > port 139 had been previously killed by > Naptha, port 135 died after two packets. > If the Naptha attack was paused, port 135 > would recover but be immediately > unavailable if the Naptha attack was > resumed. When port 135 died, the CPU > utilization would eventually jump to 100% > and remain there until a reboot. > > Leaving a large number of connections in > FIN-WAIT-1 causes the NetBIOS and WWW > services on Microsoft Windows NT 4.0 to > fail and not restart. > > ------------------------------------------- > > Novell - Netware 5 SP1 > > Locked up after 3000 open connections on > port 524, utilized all 64MB of the > system's RAM, and CPU utilization became > 100%. The server still had not timed out > connections and recovered memory after 12 > hours being left idle. > > ------------------------------------------- > > SGI - IRIX 6.5.7m > > Two services were tested, portmapper (tcp > port 111) and sgi-dgl (tcp port 5232). > These services were chosen because sgi-dgl > runs from inetd and portmapper runs > without it. > > The IRIX kernel appears to be somewhat > robust against Naptha attacks. Sending > twenty thousand packets to tcp port 111 > caused no obvious performance degradation > on the IRIX host (except that other > attempts to query the portmapper became > unsuccessful). The netstat command showed > a steady-state value of 195 ESTABLISHED > connections. > > Sending a few hundred packets to tcp port > 5232, however, resulted in creation of too > many dgl daemon processes for the system > to continue normal operation. Trying to > start a new process from a login shell > resulted in the error "No more processes". > It is possible that the dgl daemon attack > would have been less effective with a > different inetd configuration, or with > different kernel parameters. We did not > investigate this. > > ------------------------------------------- > > Sun - Solaris 7, 8 > > Two services were tested, portmapper and > telnet. These services were chosen because > telnet runs from inetd and portmapper runs > without it. > > TELNET: > At around 700 Naptha TCP sessions, a > telnet session will be connected but then > gets the message "can't grant slave pty" > and is disconnected. At 1700 Naptha TCP > sessions, a telnet session will be > connected but nothing else happens. This > is not confined to the telnet port, it > effects every port. If the Naptha attack > is stopped, eventually telnet will > recover. How long it is broken is > dependant on the speed and length of the > Naptha assault and other factors. A > typical downtime was an hour. > > PORTMAPPER: > At around 300 Naptha TCP sessions, a > telnet session to port 111 is immediately > disconnected (normally, this is > disconnected when a user hit the enter > key). This fault does not effect other > services. Downtime variable but typically > two hours. > > ------------------------------------------- > > Contact: advisory+naptha@razor.bindview.com > > _____________________________________________________________________ > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" > SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message