Sockstress

Last updated

Sockstress is a method of attacking servers and other devices that accept TCP connections on the Internet and other TCP-based networks. [1] This method depletes local resources in order to crash a service or an entire machine, essentially functioning as a denial-of-service attack.

Contents

Sockstress was developed as an internal proof-of-concept by the late Jack C. Louis at Outpost24. Louis discovered anomalies using Unicornscan to test and probe networks for corporate security, which led to the development of Sockstress. [2] The concept was first demonstrated in September 2008. [3] [4] [5] [6] The researchers had planned on releasing more details at the T2 conference in Finland where they demonstrated the attacks. [7] [8] They instead chose to continue to work closely with, and give more time to, the vendor and standards communities. In a blog entry, they said "We are not putting them [the vendors] under undue pressure to get poorly implemented rushed fixes out."

A proof-of-concept tool, Nkiller2, that demonstrated an attack similar to sockstress was released by Fotis Chantzis aka ithilgore on Phrack ezine. [9] Nkiller2 works completely statelessly, using packet-parsing techniques and virtual states, and exploits an inherent mechanism of TCP, the Persist Timer, thus being able to perform and infinitely prolong a generic DoS attack with a minimal amount of network traffic.

About Sockstress

Sockstress is a user-land TCP socket stress framework that can complete arbitrary numbers of open sockets without incurring the typical overhead of tracking state. Once the socket is established, it is capable of sending TCP attacks targeting specific types of kernel and system resources such as Counters, Timers, and Memory Pools. Some of the attacks described here are considered "well-known"; however, the full effects of these attacks are less known. Furthermore, there are more attacks yet to be discovered or documented. As researchers document ways of depleting specific resources, attack modules could be added to the tree of the sockstress framework.

The sockstress attack tool consists of two main parts:

1) Fantaip: Fantaip [10] is a program that spoofs IP addresses for use with sockstress. It achieves this by sending ARP replies to hosts which perform a request for the spoofed IP. To use fantaip, type 'fantaip -i interface CIDR', e.g., 'fantaip -i eth0 192.168.0.128/25'. This ARP/Layer 2 function could optionally be provided by other means depending on the requirements of the local network topology. Since sockstress completes TCP sockets in user-land, it is not advisable to use sockstress with an IP address configured for use by the kernel, as the kernel would then RST the sockets. This is not strictly required, as the use of a firewall to drop incoming packets with the rst flag can be used to achieve the same goal and prevent the kernel from interfering with the attack vector.

2) Sockstress: In its most basic use, sockstress simply opens TCP sockets and sends a specified TCP stress test. It can optionally send an application-specific TCP payload (such as an HTTP request). By default, post-attack, it ignores subsequent communications on the established socket. It can optionally ACK probes for active sockets. The attacks take advantage of the exposed resources the target makes available post-handshake.

The client-side cookies, heavily discussed in blogs, news, and discussion lists, are an implementation detail of sockstress and are not strictly necessary for carrying out these attacks.

The attack scenarios

Every attack in the sockstress framework has some impact on the system/service it is attacking. However, some attacks are more effective than others against a specific system/service combination.

Connection flood stress

Sockstress does not have a special attack module for performing a simple connection flood attack, but any of the attack modules can be used as such if the -c-1 (max connections unlimited) and -m-1 (max syn unlimited) options are used.

Example commands:

  1. fantaip -i eth0 192.168.1.128/25 -vvv
  2. sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 -s192.168.1.128/25 -vv

Zero window connection stress

Create a connection to a listening socket and upon 3 way handshake (inside last ACK) send 0 window.

       syn -> (4k window)                <- syn+ack (32k window)        ack -> (0 window)

Now the server will have to "probe" the client until the zero window opens up. This is the most simple of the attack types to understand. The result is similar to a connection flood, except that the sockets remain open potentially indefinitely (when -A/ACK is enabled). This is described in the CPNI document in section 2.2. A variation here would be to PSH a client payload (i.e. 'GET / HTTP/1.0') before setting the window to 0. This variation would be similar to what is described in the CPNI document section 5.1.1. A further variation would be to occasionally advertise a TCP window larger than 0, then go back to 0-window.

Good against:

Example commands:

  1. fantaip -i eth0 192.168.1.128/25 -vvv
  2. sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mz -p22,80 -r300 -s192.168.1.128/25 -vv

Small window stress

Create a connection to a listening socket and upon 3 way handshake (inside last ACK) set a window size of 4 bytes, then create an ACK/PSH packet with a TCP payload (into a window that is hopefully large enough to accept it) with a window still set to 4 bytes. This will potentially cause kernel memory to be consumed as it takes the response and splits it into tiny 4 byte chunks. This is unlike a connection flood in that memory is now consumed for every request made. This has reliably put Linux/Apache and Linux/sendmail systems into defunct states. It is also effective against other systems. It is expected that this has similar effects to what is described in the CPNI document in the second to last paragraph of page 17.

Look at the payload.c file in the sockstress source. Look for the hport switch statement. In that section you can specify payloads to be sent to specific ports. It is most effective to send a payload that will generate as large of a response as possible (i.e. 'GET /largefile.zip').

Good against:

Example commands:

  1. fantaip -i eth0 192.168.1.128/25 -vvv
  2. sockstress -A -c-1 -d 192.168.1.100 -m-1 -Mw -p22,80 -r300 -s192.168.1.128/25 -vv

Segment hole stress

Create a connection to a listening socket and upon 3 way handshake (inside last ACK) send 4 bytes to the beginning of a window, as advertised by the remote system. Then send 4 bytes to end of window. Then 0-window the connection. Depending on the stack, this could cause the remote system to allocate multiple pages of kernel memory per connection. This is unlike a connection flood in that memory is now consumed for every connection made. This attack was created to target Linux. It is also quite effective against Windows. This is the attack that was used in the sec-t and T2 demos. It is expected that this has similar effects to what is described in the CPNI document in section 5.2.2 5th paragraph and section 5.3.

Good against:

Example commands:

  1. fantaip -i eth0 192.168.1.128/25 -vvv
  2. sockstress -A -c-1 -d 192.168.1.100 -m-1 -Ms -p22,80 -r300 -s192.168.1.128/25 -vv

REQ FIN pause stress

Create a connection to a listening socket. PSH is an application payload (i.e. 'GET / HTTP/1.0'). FIN the connection and 0-window it. This attack will have very different results depending on the stack/application you are targeting. Using this against a Cisco 1700 (IOS) web server, it was observed that sockets were left in FIN_WAIT_1 indefinitely. After enough of such sockets, the router could no longer communicate TCP correctly.

Look at the payload.c file in the sockstress source. Look for the hport switch statement. In that section, you can specify payloads to be sent to specific ports. You must send a payload that will look like a normal client to the application you are interacting with. Against a Cisco 1700, while using this attack it was important to attack at a very slow rate.

Example commands:

  1. fantaip -i eth0 192.168.1.128/25 -vvv
  2. sockstress -A -c-1 -d 192.168.1.100 -m-1 -MS -p80 -r10 -s192.168.1.128/25 -vv

Activate reno pressure stress

Create a connection to a listening socket. PSH is an application payload (i.e. 'GET / HTTP/1.0'). Triple duplicate ACK.

Look at the payload.c file in the sockstress source. Look for the hport switch statement. In that section, you can specify payloads to be sent to specific ports. You must send a payload that will look like a normal client to the application you are interacting with.

Good against:

Example commands:

  1. fantaip -i eth0 192.168.1.128/25 -vvv
  2. sockstress -A -c-1 -d 192.168.1.100 -m-1 -MR -p22,80 -r300 -s192.168.1.128/25 -vv

Other Ideas

Create a connection to a listening socket. PSH an application payload that will likely cause the application on the other side to close the socket (Target sends a FIN). ACK the FIN.

Good against:

Effects of the attacks

If the attacks are successful in initiating perpetually stalled connections, the connection table of the server can quickly be filled, effectively creating a denial of service condition for a specific service. In many cases, we have also seen the attacks consume significant amounts of event queues and system memory, which intensifies the effects of the attacks. The result of this has been systems that no longer have event timers for TCP communication, frozen systems, and system reboots. The attacks do not require significant bandwidth.

While it is trivial to get a single service to become unavailable in a matter of seconds, to make an entire system become defunct can take many minutes, and in some cases hours. As a general rule, the more services a system has, the faster it will succumb to the devastating (broken TCP, system lock, reboot, etc.) effects of the attacks. Alternatively, attack amplification can be achieved by attacking from a larger number of IP addresses. We [ who? ] typically attack from a /29 through a /25 in our labs. Attacking from a /32 is typically less effective at causing the system wide faults.

Exploitation caveats

The attack requires a successful TCP 3 way handshake to effectively fill the victim's connection tables. This limits the attack's effectiveness as an attacker cannot spoof the client's IP address to avoid traceability.

A sockstress style exploit also needs access to raw sockets on the attacking machine because the packets must be handled in userspace rather than with the OS's connect() API. Raw sockets are disabled on Windows XP SP2 and above, but device drivers are readily available [11] to put this facility back into Windows. The exploit can be executed as-is on other platforms with raw sockets such as *nix and requires root (superuser) privileges.

Mitigation

Since an attacker must be able to establish TCP sockets to affect the target, white-listing access to TCP services on critical systems and routers is the currently most effective means for mitigation. Using IPsec is also an effective mitigation.

According to the Cisco Response [12] the current mitigation advice is to only allow trusted sources to access TCP-based services. This mitigation is particularly important for critical infrastructure devices. Red Hat has stated that "Due to upstream's decision not to release updates, Red Hat do not plan to release updates to resolve these issues; however, the effects of these attacks can be reduced." On Linux using iptables with connection tracking and rate limiting can limit the impact of exploitation significantly. [13]

Related Research Articles

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

Berkeley sockets is an application programming interface (API) for Internet sockets and Unix domain sockets, used for inter-process communication (IPC). It is commonly implemented as a library of linkable modules. It originated with the 4.2BSD Unix operating system, which was released in 1983.

UUCP is a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email and netnews between computers.

A tarpit is a service on a computer system that purposely delays incoming connections. The technique was developed as a defense against a computer worm, and the idea is that network abuses such as spamming or broad scanning are less effective, and therefore less attractive, if they take too long. The concept is analogous with a tar pit, in which animals can get bogged down and slowly sink under the surface, like in a swamp.

<span class="mw-page-title-main">SYN flood</span> Denial-of-service attack

A SYN flood is a form of denial-of-service attack on data communications in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

Direct Client-to-Client (DCC) is an IRC-related sub-protocol enabling peers to interconnect using an IRC server for handshaking in order to exchange files or perform non-relayed chats. Once established, a typical DCC session runs independently from the IRC server. Originally designed to be used with ircII it is now supported by many IRC clients. Some peer-to-peer clients on napster-protocol servers also have DCC send/get capability, including TekNap, SunshineUN and Lopster. A variation of the DCC protocol called SDCC, also known as DCC SCHAT supports encrypted connections. An RFC specification on the use of DCC does not exist.

ZMODEM is an inline file transfer protocol developed by Chuck Forsberg in 1986, in a project funded by Telenet in order to improve file transfers on their X.25 network. In addition to dramatically improved performance compared to older protocols, ZMODEM offered restartable transfers, auto-start by the sender, an expanded 32-bit CRC, and control character quoting supporting 8-bit clean transfers, allowing it to be used on networks that would not pass control characters.

Transmission Control Protocol (TCP) uses a congestion control algorithm that includes various aspects of an additive increase/multiplicative decrease (AIMD) scheme, along with other schemes including slow start and congestion window (CWND), to achieve congestion avoidance. The TCP congestion-avoidance algorithm is the primary basis for congestion control in the Internet. Per the end-to-end principle, congestion control is largely a function of internet hosts, not the network itself. There are several variations and versions of the algorithm implemented in protocol stacks of operating systems of computers that connect to the Internet.

Nagle's algorithm is a means of improving the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network. It was defined by John Nagle while working for Ford Aerospace. It was published in 1984 as a Request for Comments (RFC) with title Congestion Control in IP/TCP Internetworks in RFC 896.

Real-Time Messaging Protocol (RTMP) is a communication protocol for streaming audio, video, and data over the Internet. Originally developed as a proprietary protocol by Macromedia for streaming between Flash Player and the Flash Communication Server, Adobe has released an incomplete version of the specification of the protocol for public use.

Protocol spoofing is used in data communications to improve performance in situations where an existing protocol is inadequate, for example due to long delays or high error rates.

The term half-open refers to TCP connections whose state is out of synchronization between the two communicating hosts, possibly due to a crash of one side. A connection which is in the process of being established is also known as embryonic connection. The lack of synchronization could be due to malicious intent.

SYN cookie is a technique used to resist SYN flood attacks. The technique's primary inventor Daniel J. Bernstein defines SYN cookies as "particular choices of initial TCP sequence numbers by TCP servers." In particular, the use of SYN cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead of storing additional connections, a SYN queue entry is encoded into the sequence number sent in the SYN+ACK response. If the server then receives a subsequent ACK response from the client with the incremented sequence number, the server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number and proceed as usual with the connection.

<span class="mw-page-title-main">Idle scan</span>

An idle scan is a TCP port scan method for determining what services are open on a target computer without leaving traces pointing back at oneself. This is accomplished by using packet spoofing to impersonate another computer so that the target believes it's being accessed by the zombie. The target will respond in different ways depending on whether the port is open, which can in turn be detected by querying the zombie.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing a simultaneous two-way communication channel over a single Transmission Control Protocol (TCP) connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

route (command) Computer operating system command

In computing, route is a command used to view and manipulate the IP routing table in Unix-like and Microsoft Windows operating systems and also in IBM OS/2 and ReactOS. Manual manipulation of the routing table is characteristic of static routing.

The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the transport layer of the Internet protocol suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the protocol provides the message-oriented feature of the User Datagram Protocol (UDP), while ensuring reliable, in-sequence transport of messages with congestion control like the Transmission Control Protocol (TCP). Unlike UDP and TCP, the protocol supports multihoming and redundant paths to increase resilience and reliability.

netsniff-ng Linux networking toolkit

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets, so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg . libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie, which is a cryptographic cookie stored on the client and set upon the initial connection with the server. When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.

References

  1. Security Now! podcast explaining Sockstress
  2. Interview with Robert E. Lee and Jack C. Louis (First 8 minutes after English begins) Archived 2008-10-02 at the Wayback Machine
  3. "Robert E. Lee: Sec-T Sockstress Recap". Archived from the original on 2008-11-05.
  4. Carl Nordenfelt's blog post Archived 2008-10-05 at the Wayback Machine
  5. Amelia Nilsson's blog post
  6. Mikael (FireLynx) blog post Archived 2012-08-02 at archive.today
  7. http://www.t2.fi/
  8. http://radian.org/notebook/van-helsingfors
  9. Exploiting TCP and the Persist Timer Infiniteness
  10. Fantaip comes with Unicornscan Archived 2013-04-16 at archive.today
  11. "Raw TCP sockets and Npcap | PingPlotter".
  12. Cisco Response
  13. Does CVE-2008-4609 affect Red Hat Enterprise Linux?
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.