diff options
-rw-r--r-- | network/sockstress/README | 6 | ||||
-rw-r--r-- | network/sockstress/README-NEW | 261 | ||||
-rw-r--r-- | network/sockstress/slack-desc | 19 | ||||
-rw-r--r-- | network/sockstress/sockstress.SlackBuild | 103 | ||||
-rw-r--r-- | network/sockstress/sockstress.info | 10 |
5 files changed, 0 insertions, 399 deletions
diff --git a/network/sockstress/README b/network/sockstress/README deleted file mode 100644 index 6907fcc5078a..000000000000 --- a/network/sockstress/README +++ /dev/null @@ -1,6 +0,0 @@ -sockstress is a collection of TCP socket stress methods -that attempt to deplete limited kernel resources. - -After installation, the source code is placed in -/usr/src/sockstress-0.0.1 -You can modify payloads there. diff --git a/network/sockstress/README-NEW b/network/sockstress/README-NEW deleted file mode 100644 index 5211db5fe50a..000000000000 --- a/network/sockstress/README-NEW +++ /dev/null @@ -1,261 +0,0 @@ -=-=-=-=-=-= - -Sockstress is a user-land TCP socket stress framework that can -complete arbitrary numbers of open sockets without incurring the -typical overhead of tracking state. Once the socket is established, -it is capable of sending TCP attacks that target specific types of -kernel and system resources such as Counters, Timers, and Memory -Pools. Obviously, some of the attacks described here are considered -"well known". However, the full effects of these attacks is less -known. Further, there are more attacks yet to be -discovered/documented. As researchers document ways of depleting -specific resources, attack modules could be added into the sockstress -framework. - -The sockstress attack tool consists of two main parts: - -1) Fantaip: Fantaip is a "Phantom IP" program that performs ARP for -IP addresses. Fantaip is provided by the unicornscan package. -To use fantaip, type 'fantaip -i interface CIDR', -Ex., 'fantaip -i eth0 192.168.0.128/25'. -This ARP/Layer 2 function could optionally be provided by other means -depending on the requirements of the local network topology. Since -sockstress completes TCP sockets in user-land, it is not advisable -to use sockstress with an IP address configured for use by the kernel, -as the kernel would then RST the sockets. Fantaip is not strictly -required as the use of a firewall to drop incoming packets with rst -flag can be used to achieve the same goal and prevent the kernel from -interfering with the attack vector. However, you may end up DoSing -yourself using the local firewall method. - -2) Sockstress: In its most basic use, sockstress simply opens TCP -sockets and sends a specified TCP stress test. It can optionally send -an application specific TCP payload (i.e. 'GET / HTTP/1.0' request). -By default, post attack it ignores subsequent communications on the -established socket. It can optionally ACK probes for active sockets. -The attacks take advantage of the exposed resources the target makes -available post handshake. - -The client side cookies, heavily discussed in blogs, news and -discussion lists, is an implementation detail of sockstress, and not -strictly necessary for carrying out these attacks. - -=-=-=-=-=-= - -The attack scenarios - -Every attack in the sockstress framework has some impact on the -system/service it is attacking. However, some attacks are more -effective than others against a specific system/service combination. - -=-=-=-=-=-= - -Connection flood stress -Sockstress does not have a special attack module for performing a -simple connection flood attack, but any of the attack modules can be -used as such if the -c-1 (max connections unlimited) and -m-1 -(max syn unlimited) options are used. This would approximate the -naptha attack by performing a connection flood, exhausting all -available TCB's as described in the CPNI document in section 3.1.1 - -Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Zero window connection stress -Create a connection to a listening socket and upon 3 way handshake -(inside last ack) send 0 window. - - syn -> (4k window) - <- syn+ack (32k window) - ack -> (0 window) - -Now the server will have to "probe" the client until the zero window -opens up. This is the most simple of the attack types to understand. -The result is similar to a connection flood, except that the sockets -remain open potentially indefinitely (when -A/ACK is enabled). This -is described in the CPNI document in section 2.2. A variation here -would be to PSH a client payload (i.e. 'GET / HTTP/1.0') prior to -setting the window to 0. This variation would be similar to what is -described in the CPNI document section 5.1.1. A further variation -would be to occasionally advertise a TCP window larger than 0, then -go back to 0-window. - -Good against: - -services that have long timeouts Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Small window stress -Create a connection to a listening socket and upon 3 way handshake -(inside last ack) set window size of 4 bytes, then create an ack/psh -packet with a tcp payload (into a window that is hopefully large -enough to accept it) with a window still set to 4 bytes. This will -potentially cause kernel memory to be consumed as it takes the -response and splits it into tiny 4 byte chunks. This is unlike a -connection flood in that memory is now consumed for every request -made. This has reliably put Linux/Apache and Linux/sendmail systems -into defunct states. It is also effective against other systems. -We expect this has similar effects to what is described in the CPNI -document in the second to last paragraph of page 17. - -Look at the payload.c file in the sockstress source. Look for the -hport switch statement. In that section you can specify payloads to -be sent to specific ports. It is most effective to send a payload -that will generate as large of a response as possible -(i.e. 'GET /largefile.zip'). - -Good against: - -services that contain initial connection banners services that accept -an initial request and send a large response (for example a GET -request against a large web page, or file download) Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mw -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Segment hole stress -Create a connection to a listening socket and upon 3 way handshake -(inside last ack) send 4 bytes to the beginning of a window, as -advertised by the remote system. Then send 4 bytes to end of window. -Then 0-window the connection. Depending on the stack, this could cause -the remote system to allocate multiple pages of kernel memory per -connection. This is unlike a connection flood in that memory is now -consumed for every connection made. This attack was originally created -to target Linux. It is also quite effective against windows. This is -the attack we used in our sec-t and T2 demos. We expect this has -similar effects to what is described in the CPNI document in section -5.2.2 5th paragraph and section 5.3. - -Good against: - -Stacks that allocate multiple pages of kernel memory in response to -this stimulus Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Ms -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Req fin pause stress -Create a connection to a listening socket. PSH an application payload -(i.e. 'GET / HTTP/1.0'). FIN the connection and 0-window it. This -attack will have very different results depending on the -stack/application you are targeting. Using this against a Cisco 1700 -(IOS) web server, we observed sockets left in FIN_WAIT_1 indefinitely. -After enough of such sockets, the router could no longer communicate -TCP correctly. - -Look at the payload.c file in the sockstress source. Look for the -hport switch statement. In that section you can specify payloads to be -sent to specific ports. It is important that you send a payload that -will look like a normal client to the application you are interacting -with. Against our cisco 1700, while using this attack it was important -to attack at a very slow rate. - -Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -MS -p80 -r10 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Activate reno pressure stress -Create a connection to a listening socket. PSH an application payload -(i.e. 'GET / HTTP/1.0'). Triple duplicate ACK. - -Look at the payload.c file in the sockstress source. Look for the -hport switch statement. In that section you can specify payloads to -be sent to specific ports. It is important that you send a payload -that will look like a normal client to the application you are -interacting with. - -Good against: - -Stacks that support this method of activating reno or similar -scheduler functionality Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -MR -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Other Ideas - - fin_wait_2 stress - Create a connection to a listening socket. - PSH an application payload that will likely cause the - application on the other side to close the socket (Target - sends a FIN). ACK the FIN. Good against: Stacks that don't - have a FIN_WAIT_2 timeout. large congestion window stress - shrink path mtu stress - md5 stress - -Effects of the attacks - -If the attacks are successful in initiating perpetually stalled -connections, the connection table of the server can quickly be filled, -effectively creating a denial of service condition for a specific -service. In many cases we have also seen the attacks consume -significant amounts of event queues and system memory, which -intensifies the effects of the attacks. The result of which has been -systems that no longer have event timers for TCP communication, frozen -systems, and system reboots. -The attacks do not require significant bandwidth. - -While it is trivial to get a single service to become unavailable in -a matter of seconds, to make an entire system become defunct can take -many minutes, and in some cases hours. As a general rule, the more -services a system has, the faster it will succumb to the devastating -(broken TCP, system lock, reboot, etc.) effects of the attacks. -Alternatively, attack amplification can be achieved by attacking from -a larger number of IP addresses. We typically attack from a /29 -through a /25 in our labs. Attacking from a /32 is typically less -effective at causing the system wide faults. -Exploitation caveats - -The attack requires a successful TCP 3 way handshake to effectively -fill the victims connection tables. This limits the attack's -effectiveness as an attacker cannot spoof the client IP address to -avoid traceability. - -A sockstress style exploit also needs access to raw sockets on the -attacking machine because the packets must be handled in userspace -rather than with the OS's connect() API. Raw sockets are disabled -on Windows XP SP2 and above, but device drivers are readily available -to put this facility back into Windows. The exploit is able to be -executed as-is on other platforms with raw sockets such as *nix and -requires root (superuser) privileges. - -=-=-=-=-=-= - -Mitigation - -Since an attacker must be able to establish TCP sockets to affect the -target, white-listing access to TCP services on critical systems and -routers is the currently most effective means for mitigation. -Using IPsec is also an effective mitigation. - -According to the Cisco Response the current mitigation advice is to -only allow trusted sources to access TCP-based services. -This mitigation is particularly important for critical infrastructure -devices. Red Hat has stated that "Due to upstream's decision not to -release updates, Red Hat do not plan to release updates to resolve -these issues; however, the effects of these attacks can be reduced." -On Linux using iptables with connection tracking and rate limiting -can limit the impact of exploitation significantly. diff --git a/network/sockstress/slack-desc b/network/sockstress/slack-desc deleted file mode 100644 index df47847f0193..000000000000 --- a/network/sockstress/slack-desc +++ /dev/null @@ -1,19 +0,0 @@ -# HOW TO EDIT THIS FILE: -# The "handy ruler" below makes it easier to edit a package description. -# Line up the first '|' above the ':' following the base package name, and -# the '|' on the right side marks the last column you can put a character in. -# You must make exactly 11 lines for the formatting to be correct. It's also -# customary to leave one space after the ':' except on otherwise blank lines. - - |-----handy-ruler------------------------------------------------------| -sockstress: sockstress (tcp socket stress) -sockstress: -sockstress: sockstress is a collection of TCP socket stress methods -sockstress: that attempt to deplete limited kernel resources. -sockstress: -sockstress: http://en.wikipedia.org/wiki/Sockstress -sockstress: -sockstress: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4609 -sockstress: -sockstress: -sockstress: diff --git a/network/sockstress/sockstress.SlackBuild b/network/sockstress/sockstress.SlackBuild deleted file mode 100644 index 9f56efb86c2a..000000000000 --- a/network/sockstress/sockstress.SlackBuild +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/sh - -# Slackware build script for sockstress -# Happy Birthday Jack! :) - -# Copyright Jan 5, 2013 Robert E. Lee, USA -# All rights reserved. -# -# Redistribution and use of this script, with or without modification, is -# permitted provided that the following conditions are met: -# -# 1. Redistributions of this script must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO -# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; -# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF -# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -PRGNAM=sockstress -VERSION=${VERSION:-0.0.1} -BUILD=${BUILD:-1} -TAG=${TAG:-_SBo} - -if [ -z "$ARCH" ]; then - case "$( uname -m )" in - i?86) ARCH=i486 ;; - arm*) ARCH=arm ;; - *) ARCH=$( uname -m ) ;; - esac -fi - -CWD=$(pwd) -TMP=${TMP:-/tmp/SBo} -PKG=$TMP/package-$PRGNAM -OUTPUT=${OUTPUT:-/tmp} - -if [ "$ARCH" = "i486" ]; then - SLKCFLAGS="-O2 -march=i486 -mtune=i686" - LIBDIRSUFFIX="" -elif [ "$ARCH" = "i686" ]; then - SLKCFLAGS="-O2 -march=i686 -mtune=i686" - LIBDIRSUFFIX="" -elif [ "$ARCH" = "x86_64" ]; then - SLKCFLAGS="-O2 -fPIC" - LIBDIRSUFFIX="64" -else - SLKCFLAGS="-O2" - LIBDIRSUFFIX="" -fi - -set -e - -rm -rf $PKG -mkdir -p $TMP $PKG $OUTPUT -cd $TMP -rm -rf $PRGNAM-$VERSION ._${PRGNAM} -tar xvf $CWD/$PRGNAM.tar.gz -mv $PRGNAM $PRGNAM-$VERSION -cd $PRGNAM-$VERSION -rm -fr ._* */._* */*/._* -chown -R root:root . -find -L . \ - \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 -o -perm 511 \) \ - -exec chmod 755 {} \; -o \ - \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ - -exec chmod 644 {} \; - -CFLAGS="$SLKCFLAGS" \ -CXXFLAGS="$SLKCFLAGS" \ -./configure \ - CFLAGS=-D_GNU_SOURCE \ - --prefix=/usr \ - --libdir=/usr/lib${LIBDIRSUFFIX} \ - --sysconfdir=/etc \ - --localstatedir=/var \ - --mandir=/usr/man \ - --docdir=/usr/doc/$PRGNAM-$VERSION \ - --build=$ARCH-slackware-linux - -make -mkdir -p $PKG/usr/bin -ln -s /usr/src/$PRGNAM-$VERSION/sockstress $PKG/usr/bin/sockstress - -mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION $PKG/usr/src/$PRGNAM-$VERSION -cp -a * $PKG/usr/src/$PRGNAM-$VERSION/ -( cd $PKG/usr/src/$PRGNAM-$VERSION - mv IOS_NOTES NOTES README doc/* wiki $PKG/usr/doc/$PRGNAM-$VERSION ) -rm -fr $PKG/usr/src/$PRGNAM-$VERSION/doc -cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild -cat $CWD/README-NEW > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.README-NEW - -mkdir -p $PKG/install -cat $CWD/slack-desc > $PKG/install/slack-desc - -cd $PKG -/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/sockstress/sockstress.info b/network/sockstress/sockstress.info deleted file mode 100644 index 21b95ce17423..000000000000 --- a/network/sockstress/sockstress.info +++ /dev/null @@ -1,10 +0,0 @@ -PRGNAM="sockstress" -VERSION="0.0.1" -HOMEPAGE="http://en.wikipedia.org/wiki/Sockstress" -DOWNLOAD="http://downloads.sourceforge.net/osace/sockstress.tar.gz" -MD5SUM="292ad9f40a472883b34e4dbefe5f6c35" -DOWNLOAD_x86_64="" -MD5SUM_x86_64="" -REQUIRES="unicornscan" -MAINTAINER="Robert E. Lee" -EMAIL="robert_at_loveathome.us" |