diff options
Diffstat (limited to 'network/sockstress/README-NEW')
| -rw-r--r-- | network/sockstress/README-NEW | 261 |
1 files changed, 0 insertions, 261 deletions
diff --git a/network/sockstress/README-NEW b/network/sockstress/README-NEW deleted file mode 100644 index 5211db5fe50ab..0000000000000 --- a/network/sockstress/README-NEW +++ /dev/null @@ -1,261 +0,0 @@ -=-=-=-=-=-= - -Sockstress is a user-land TCP socket stress framework that can -complete arbitrary numbers of open sockets without incurring the -typical overhead of tracking state. Once the socket is established, -it is capable of sending TCP attacks that target specific types of -kernel and system resources such as Counters, Timers, and Memory -Pools. Obviously, some of the attacks described here are considered -"well known". However, the full effects of these attacks is less -known. Further, there are more attacks yet to be -discovered/documented. As researchers document ways of depleting -specific resources, attack modules could be added into the sockstress -framework. - -The sockstress attack tool consists of two main parts: - -1) Fantaip: Fantaip is a "Phantom IP" program that performs ARP for -IP addresses. Fantaip is provided by the unicornscan package. -To use fantaip, type 'fantaip -i interface CIDR', -Ex., 'fantaip -i eth0 192.168.0.128/25'. -This ARP/Layer 2 function could optionally be provided by other means -depending on the requirements of the local network topology. Since -sockstress completes TCP sockets in user-land, it is not advisable -to use sockstress with an IP address configured for use by the kernel, -as the kernel would then RST the sockets. Fantaip is not strictly -required as the use of a firewall to drop incoming packets with rst -flag can be used to achieve the same goal and prevent the kernel from -interfering with the attack vector. However, you may end up DoSing -yourself using the local firewall method. - -2) Sockstress: In its most basic use, sockstress simply opens TCP -sockets and sends a specified TCP stress test. It can optionally send -an application specific TCP payload (i.e. 'GET / HTTP/1.0' request). -By default, post attack it ignores subsequent communications on the -established socket. It can optionally ACK probes for active sockets. -The attacks take advantage of the exposed resources the target makes -available post handshake. - -The client side cookies, heavily discussed in blogs, news and -discussion lists, is an implementation detail of sockstress, and not -strictly necessary for carrying out these attacks. - -=-=-=-=-=-= - -The attack scenarios - -Every attack in the sockstress framework has some impact on the -system/service it is attacking. However, some attacks are more -effective than others against a specific system/service combination. - -=-=-=-=-=-= - -Connection flood stress -Sockstress does not have a special attack module for performing a -simple connection flood attack, but any of the attack modules can be -used as such if the -c-1 (max connections unlimited) and -m-1 -(max syn unlimited) options are used. This would approximate the -naptha attack by performing a connection flood, exhausting all -available TCB's as described in the CPNI document in section 3.1.1 - -Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Zero window connection stress -Create a connection to a listening socket and upon 3 way handshake -(inside last ack) send 0 window. - - syn -> (4k window) - <- syn+ack (32k window) - ack -> (0 window) - -Now the server will have to "probe" the client until the zero window -opens up. This is the most simple of the attack types to understand. -The result is similar to a connection flood, except that the sockets -remain open potentially indefinitely (when -A/ACK is enabled). This -is described in the CPNI document in section 2.2. A variation here -would be to PSH a client payload (i.e. 'GET / HTTP/1.0') prior to -setting the window to 0. This variation would be similar to what is -described in the CPNI document section 5.1.1. A further variation -would be to occasionally advertise a TCP window larger than 0, then -go back to 0-window. - -Good against: - -services that have long timeouts Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Small window stress -Create a connection to a listening socket and upon 3 way handshake -(inside last ack) set window size of 4 bytes, then create an ack/psh -packet with a tcp payload (into a window that is hopefully large -enough to accept it) with a window still set to 4 bytes. This will -potentially cause kernel memory to be consumed as it takes the -response and splits it into tiny 4 byte chunks. This is unlike a -connection flood in that memory is now consumed for every request -made. This has reliably put Linux/Apache and Linux/sendmail systems -into defunct states. It is also effective against other systems. -We expect this has similar effects to what is described in the CPNI -document in the second to last paragraph of page 17. - -Look at the payload.c file in the sockstress source. Look for the -hport switch statement. In that section you can specify payloads to -be sent to specific ports. It is most effective to send a payload -that will generate as large of a response as possible -(i.e. 'GET /largefile.zip'). - -Good against: - -services that contain initial connection banners services that accept -an initial request and send a large response (for example a GET -request against a large web page, or file download) Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mw -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Segment hole stress -Create a connection to a listening socket and upon 3 way handshake -(inside last ack) send 4 bytes to the beginning of a window, as -advertised by the remote system. Then send 4 bytes to end of window. -Then 0-window the connection. Depending on the stack, this could cause -the remote system to allocate multiple pages of kernel memory per -connection. This is unlike a connection flood in that memory is now -consumed for every connection made. This attack was originally created -to target Linux. It is also quite effective against windows. This is -the attack we used in our sec-t and T2 demos. We expect this has -similar effects to what is described in the CPNI document in section -5.2.2 5th paragraph and section 5.3. - -Good against: - -Stacks that allocate multiple pages of kernel memory in response to -this stimulus Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -Ms -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Req fin pause stress -Create a connection to a listening socket. PSH an application payload -(i.e. 'GET / HTTP/1.0'). FIN the connection and 0-window it. This -attack will have very different results depending on the -stack/application you are targeting. Using this against a Cisco 1700 -(IOS) web server, we observed sockets left in FIN_WAIT_1 indefinitely. -After enough of such sockets, the router could no longer communicate -TCP correctly. - -Look at the payload.c file in the sockstress source. Look for the -hport switch statement. In that section you can specify payloads to be -sent to specific ports. It is important that you send a payload that -will look like a normal client to the application you are interacting -with. Against our cisco 1700, while using this attack it was important -to attack at a very slow rate. - -Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -MS -p80 -r10 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Activate reno pressure stress -Create a connection to a listening socket. PSH an application payload -(i.e. 'GET / HTTP/1.0'). Triple duplicate ACK. - -Look at the payload.c file in the sockstress source. Look for the -hport switch statement. In that section you can specify payloads to -be sent to specific ports. It is important that you send a payload -that will look like a normal client to the application you are -interacting with. - -Good against: - -Stacks that support this method of activating reno or similar -scheduler functionality Example commands: - - fantaip -i eth0 192.168.1.128/25 -vvv - sockstress -A -c-1 -d 192.168.1.100 -m-1 -MR -p22,80 -r300 \ - -s192.168.1.128/25 -vv - -=-=-=-=-=-= - -Other Ideas - - fin_wait_2 stress - Create a connection to a listening socket. - PSH an application payload that will likely cause the - application on the other side to close the socket (Target - sends a FIN). ACK the FIN. Good against: Stacks that don't - have a FIN_WAIT_2 timeout. large congestion window stress - shrink path mtu stress - md5 stress - -Effects of the attacks - -If the attacks are successful in initiating perpetually stalled -connections, the connection table of the server can quickly be filled, -effectively creating a denial of service condition for a specific -service. In many cases we have also seen the attacks consume -significant amounts of event queues and system memory, which -intensifies the effects of the attacks. The result of which has been -systems that no longer have event timers for TCP communication, frozen -systems, and system reboots. -The attacks do not require significant bandwidth. - -While it is trivial to get a single service to become unavailable in -a matter of seconds, to make an entire system become defunct can take -many minutes, and in some cases hours. As a general rule, the more -services a system has, the faster it will succumb to the devastating -(broken TCP, system lock, reboot, etc.) effects of the attacks. -Alternatively, attack amplification can be achieved by attacking from -a larger number of IP addresses. We typically attack from a /29 -through a /25 in our labs. Attacking from a /32 is typically less -effective at causing the system wide faults. -Exploitation caveats - -The attack requires a successful TCP 3 way handshake to effectively -fill the victims connection tables. This limits the attack's -effectiveness as an attacker cannot spoof the client IP address to -avoid traceability. - -A sockstress style exploit also needs access to raw sockets on the -attacking machine because the packets must be handled in userspace -rather than with the OS's connect() API. Raw sockets are disabled -on Windows XP SP2 and above, but device drivers are readily available -to put this facility back into Windows. The exploit is able to be -executed as-is on other platforms with raw sockets such as *nix and -requires root (superuser) privileges. - -=-=-=-=-=-= - -Mitigation - -Since an attacker must be able to establish TCP sockets to affect the -target, white-listing access to TCP services on critical systems and -routers is the currently most effective means for mitigation. -Using IPsec is also an effective mitigation. - -According to the Cisco Response the current mitigation advice is to -only allow trusted sources to access TCP-based services. -This mitigation is particularly important for critical infrastructure -devices. Red Hat has stated that "Due to upstream's decision not to -release updates, Red Hat do not plan to release updates to resolve -these issues; however, the effects of these attacks can be reduced." -On Linux using iptables with connection tracking and rate limiting -can limit the impact of exploitation significantly. |