aboutsummaryrefslogtreecommitdiff
path: root/network/sockstress/README-NEW
diff options
context:
space:
mode:
Diffstat (limited to 'network/sockstress/README-NEW')
-rw-r--r--network/sockstress/README-NEW261
1 files changed, 261 insertions, 0 deletions
diff --git a/network/sockstress/README-NEW b/network/sockstress/README-NEW
new file mode 100644
index 0000000000000..5211db5fe50ab
--- /dev/null
+++ b/network/sockstress/README-NEW
@@ -0,0 +1,261 @@
+=-=-=-=-=-=
+
+Sockstress is a user-land TCP socket stress framework that can
+complete arbitrary numbers of open sockets without incurring the
+typical overhead of tracking state. Once the socket is established,
+it is capable of sending TCP attacks that target specific types of
+kernel and system resources such as Counters, Timers, and Memory
+Pools. Obviously, some of the attacks described here are considered
+"well known". However, the full effects of these attacks is less
+known. Further, there are more attacks yet to be
+discovered/documented. As researchers document ways of depleting
+specific resources, attack modules could be added into the sockstress
+framework.
+
+The sockstress attack tool consists of two main parts:
+
+1) Fantaip: Fantaip is a "Phantom IP" program that performs ARP for
+IP addresses. Fantaip is provided by the unicornscan package.
+To use fantaip, type 'fantaip -i interface CIDR',
+Ex., 'fantaip -i eth0 192.168.0.128/25'.
+This ARP/Layer 2 function could optionally be provided by other means
+depending on the requirements of the local network topology. Since
+sockstress completes TCP sockets in user-land, it is not advisable
+to use sockstress with an IP address configured for use by the kernel,
+as the kernel would then RST the sockets. Fantaip is not strictly
+required as the use of a firewall to drop incoming packets with rst
+flag can be used to achieve the same goal and prevent the kernel from
+interfering with the attack vector. However, you may end up DoSing
+yourself using the local firewall method.
+
+2) Sockstress: In its most basic use, sockstress simply opens TCP
+sockets and sends a specified TCP stress test. It can optionally send
+an application specific TCP payload (i.e. 'GET / HTTP/1.0' request).
+By default, post attack it ignores subsequent communications on the
+established socket. It can optionally ACK probes for active sockets.
+The attacks take advantage of the exposed resources the target makes
+available post handshake.
+
+The client side cookies, heavily discussed in blogs, news and
+discussion lists, is an implementation detail of sockstress, and not
+strictly necessary for carrying out these attacks.
+
+=-=-=-=-=-=
+
+The attack scenarios
+
+Every attack in the sockstress framework has some impact on the
+system/service it is attacking. However, some attacks are more
+effective than others against a specific system/service combination.
+
+=-=-=-=-=-=
+
+Connection flood stress
+Sockstress does not have a special attack module for performing a
+simple connection flood attack, but any of the attack modules can be
+used as such if the -c-1 (max connections unlimited) and -m-1
+(max syn unlimited) options are used. This would approximate the
+naptha attack by performing a connection flood, exhausting all
+available TCB's as described in the CPNI document in section 3.1.1
+
+Example commands:
+
+ fantaip -i eth0 192.168.1.128/25 -vvv
+ sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 \
+ -s192.168.1.128/25 -vv
+
+=-=-=-=-=-=
+
+Zero window connection stress
+Create a connection to a listening socket and upon 3 way handshake
+(inside last ack) send 0 window.
+
+ syn -> (4k window)
+ <- syn+ack (32k window)
+ ack -> (0 window)
+
+Now the server will have to "probe" the client until the zero window
+opens up. This is the most simple of the attack types to understand.
+The result is similar to a connection flood, except that the sockets
+remain open potentially indefinitely (when -A/ACK is enabled). This
+is described in the CPNI document in section 2.2. A variation here
+would be to PSH a client payload (i.e. 'GET / HTTP/1.0') prior to
+setting the window to 0. This variation would be similar to what is
+described in the CPNI document section 5.1.1. A further variation
+would be to occasionally advertise a TCP window larger than 0, then
+go back to 0-window.
+
+Good against:
+
+services that have long timeouts Example commands:
+
+ fantaip -i eth0 192.168.1.128/25 -vvv
+ sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 \
+ -s192.168.1.128/25 -vv
+
+=-=-=-=-=-=
+
+Small window stress
+Create a connection to a listening socket and upon 3 way handshake
+(inside last ack) set window size of 4 bytes, then create an ack/psh
+packet with a tcp payload (into a window that is hopefully large
+enough to accept it) with a window still set to 4 bytes. This will
+potentially cause kernel memory to be consumed as it takes the
+response and splits it into tiny 4 byte chunks. This is unlike a
+connection flood in that memory is now consumed for every request
+made. This has reliably put Linux/Apache and Linux/sendmail systems
+into defunct states. It is also effective against other systems.
+We expect this has similar effects to what is described in the CPNI
+document in the second to last paragraph of page 17.
+
+Look at the payload.c file in the sockstress source. Look for the
+hport switch statement. In that section you can specify payloads to
+be sent to specific ports. It is most effective to send a payload
+that will generate as large of a response as possible
+(i.e. 'GET /largefile.zip').
+
+Good against:
+
+services that contain initial connection banners services that accept
+an initial request and send a large response (for example a GET
+request against a large web page, or file download) Example commands:
+
+ fantaip -i eth0 192.168.1.128/25 -vvv
+ sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mw -p22,80 -r300 \
+ -s192.168.1.128/25 -vv
+
+=-=-=-=-=-=
+
+Segment hole stress
+Create a connection to a listening socket and upon 3 way handshake
+(inside last ack) send 4 bytes to the beginning of a window, as
+advertised by the remote system. Then send 4 bytes to end of window.
+Then 0-window the connection. Depending on the stack, this could cause
+the remote system to allocate multiple pages of kernel memory per
+connection. This is unlike a connection flood in that memory is now
+consumed for every connection made. This attack was originally created
+to target Linux. It is also quite effective against windows. This is
+the attack we used in our sec-t and T2 demos. We expect this has
+similar effects to what is described in the CPNI document in section
+5.2.2 5th paragraph and section 5.3.
+
+Good against:
+
+Stacks that allocate multiple pages of kernel memory in response to
+this stimulus Example commands:
+
+ fantaip -i eth0 192.168.1.128/25 -vvv
+ sockstress -A -c-1 -d 192.168.1.100 -m-1 -Ms -p22,80 -r300 \
+ -s192.168.1.128/25 -vv
+
+=-=-=-=-=-=
+
+Req fin pause stress
+Create a connection to a listening socket. PSH an application payload
+(i.e. 'GET / HTTP/1.0'). FIN the connection and 0-window it. This
+attack will have very different results depending on the
+stack/application you are targeting. Using this against a Cisco 1700
+(IOS) web server, we observed sockets left in FIN_WAIT_1 indefinitely.
+After enough of such sockets, the router could no longer communicate
+TCP correctly.
+
+Look at the payload.c file in the sockstress source. Look for the
+hport switch statement. In that section you can specify payloads to be
+sent to specific ports. It is important that you send a payload that
+will look like a normal client to the application you are interacting
+with. Against our cisco 1700, while using this attack it was important
+to attack at a very slow rate.
+
+Example commands:
+
+ fantaip -i eth0 192.168.1.128/25 -vvv
+ sockstress -A -c-1 -d 192.168.1.100 -m-1 -MS -p80 -r10 \
+ -s192.168.1.128/25 -vv
+
+=-=-=-=-=-=
+
+Activate reno pressure stress
+Create a connection to a listening socket. PSH an application payload
+(i.e. 'GET / HTTP/1.0'). Triple duplicate ACK.
+
+Look at the payload.c file in the sockstress source. Look for the
+hport switch statement. In that section you can specify payloads to
+be sent to specific ports. It is important that you send a payload
+that will look like a normal client to the application you are
+interacting with.
+
+Good against:
+
+Stacks that support this method of activating reno or similar
+scheduler functionality Example commands:
+
+ fantaip -i eth0 192.168.1.128/25 -vvv
+ sockstress -A -c-1 -d 192.168.1.100 -m-1 -MR -p22,80 -r300 \
+ -s192.168.1.128/25 -vv
+
+=-=-=-=-=-=
+
+Other Ideas
+
+ fin_wait_2 stress
+ Create a connection to a listening socket.
+ PSH an application payload that will likely cause the
+ application on the other side to close the socket (Target
+ sends a FIN). ACK the FIN. Good against: Stacks that don't
+ have a FIN_WAIT_2 timeout. large congestion window stress
+ shrink path mtu stress
+ md5 stress
+
+Effects of the attacks
+
+If the attacks are successful in initiating perpetually stalled
+connections, the connection table of the server can quickly be filled,
+effectively creating a denial of service condition for a specific
+service. In many cases we have also seen the attacks consume
+significant amounts of event queues and system memory, which
+intensifies the effects of the attacks. The result of which has been
+systems that no longer have event timers for TCP communication, frozen
+systems, and system reboots.
+The attacks do not require significant bandwidth.
+
+While it is trivial to get a single service to become unavailable in
+a matter of seconds, to make an entire system become defunct can take
+many minutes, and in some cases hours. As a general rule, the more
+services a system has, the faster it will succumb to the devastating
+(broken TCP, system lock, reboot, etc.) effects of the attacks.
+Alternatively, attack amplification can be achieved by attacking from
+a larger number of IP addresses. We typically attack from a /29
+through a /25 in our labs. Attacking from a /32 is typically less
+effective at causing the system wide faults.
+Exploitation caveats
+
+The attack requires a successful TCP 3 way handshake to effectively
+fill the victims connection tables. This limits the attack's
+effectiveness as an attacker cannot spoof the client IP address to
+avoid traceability.
+
+A sockstress style exploit also needs access to raw sockets on the
+attacking machine because the packets must be handled in userspace
+rather than with the OS's connect() API. Raw sockets are disabled
+on Windows XP SP2 and above, but device drivers are readily available
+to put this facility back into Windows. The exploit is able to be
+executed as-is on other platforms with raw sockets such as *nix and
+requires root (superuser) privileges.
+
+=-=-=-=-=-=
+
+Mitigation
+
+Since an attacker must be able to establish TCP sockets to affect the
+target, white-listing access to TCP services on critical systems and
+routers is the currently most effective means for mitigation.
+Using IPsec is also an effective mitigation.
+
+According to the Cisco Response the current mitigation advice is to
+only allow trusted sources to access TCP-based services.
+This mitigation is particularly important for critical infrastructure
+devices. Red Hat has stated that "Due to upstream's decision not to
+release updates, Red Hat do not plan to release updates to resolve
+these issues; however, the effects of these attacks can be reduced."
+On Linux using iptables with connection tracking and rate limiting
+can limit the impact of exploitation significantly.