Sockstress: A new and effective DoS attack
Sockstress:新而有效的DoS(拒绝服务)攻击
Author: Michael Kassner
作者:Michael Kassner
翻译:endurer,2008-10-15 第1版
Category: security, Infrastructure
类别:安全,基础设施
Tags: Denial Of Service, TCP, Attack, Fyodor, Target Port, Attacker, Tcp/Ip, Security, Networking, Michael Kassner
标签:拒绝服务,TCP,攻击,Fyodor, 目标端口,攻击者, Tcp/Ip,安全,网络,Michael Kassner
英文来源:http://blogs.techrepublic.com.com/networking/?p=679&tag=nl.e101
Denial of Service attacks aren’t new, yet they persist in being effective methods of denying access to resources on the Internet. Now meet Sockstress, the newest version of DoS attacks and potentially the most devastating of the bunch.
拒绝服务攻击并不新鲜,然而它们继续具有让互联网上的资源拒绝访问的有效方法。现在出现了Sockstress,拒绝服务攻击和和潜在的一批最具破坏性的最新版本。
《endurer注:1、persist in: 坚持(坚决)》
Security researchers Jack C. Louis and Robert E. Lee of Outpost 24 stumbled onto a relatively simple way to implement a Denial of Service (DoS) attack that does not require massive SYN floods. The researchers aren’t releasing many details about the attack, except for those provided in a very interesting interview with Brenno de Winter. Slashdot has an article “New Denial-of-Service Attack Is a Killer,” with links to the mp3 interview. The interview includes several minutes of Dutch in the beginning, and the file is quite large. For a slimmer version (converted from stereo and minus the Dutch) of the mp3 and several links that refer to Sockstress, please check out the Gibson Research Corporation link, near the bottom of the page.
Outpost的安全研究员Jack C. Louis 和 Robert E. Lee在9月24日无意中相对简单的方法来实施拒绝服务(DoS)攻击,并不需要大规模的同步洪水。研究员没有发布任何攻击细节,除了所提供的一个非常有趣的对Brenno de Winter的采访。Slashdot上有一篇文章“新拒绝服务攻击是杀手”,带有mp3采访的链接。
《endurer注:1、stumble into:同...相碰;无意中卷入;偶尔走入;犯》
Controversy as to exact DoS process
关于确切攻击过程的争议
There’s precious little to go on as to how the attack works. Fyodor (creator of Nmap and a hero of mine) was willing to offer his opinion of what the DoS process involved:
说到如何进行攻击工作,这方面的资料甚是稀罕。Fyodor(Nmap的作者,也是我心目中的英雄)愿意就拒绝服务攻击过程提供自己的的观点:
《endurer注:1、be willing to:愿意,乐意》
“The basic idea is to first firewall your source address(es) using a command such as iptables (on Linux) to prevent your own OS from interfering with your attack. Next you create hundreds or thousands of connections to the TCP port you are targeting (such as port 80 of a web server) as follows:
基本思路是首先用诸如iptables(在Linux系统中)之类的命令将源地址加入防火墙,防止自己的操作系统妨碍攻击。然后创建成百上千个连接到目标TCP端口(如web服务器的80端口),如下:
《endurer注:1、Iptables是一个管理内核包过滤的工具,可以加入、插入或删除核心包过滤表格中的规则。》
Attacker sends a TCP SYN packet to the target port from his own IP address (or one he controls) to request a connection.
攻击者从自己的的IP地址(或者他控制的)发送一个TCP SYN包到目标端口请求连接。
The target port is open, so it will respond with a SYN/ACK packet–the 2nd step of the TCP 3-way handshake. Remember that Attacker sent the SYN as a raw packet from userland rather than using his operating system’s connect() API to establish the connections. So when Attacker’s operating system’s TCP stack sees the unexpected SYN/ACK come back, it would normally destroy the nascent connection by sending a reset (RST) packet. This is why the special firewall rule was mentioned–to prevent such interference by Attacker’s OS. Instead Attacker’s DoS client handles all these packets by sniffing them from userland (generally using libpcap) and building/sending the raw reply packets.
目标端口是打开的,这样它会用一个SYN/ACK包来响应—TCP3次握手的第二步。记住,攻击者在以原始数据包发送SYN来建立连接时,是从用户空间区(userland),而不是使用操作系统的AP函数connect()。所以当攻击者的操作系统的栈看到意外的SYN/ACK返回,它通常会发送一个复位(RST)数据包来销毁这个新生的连接。这就是为什么特别提到防火墙规则—防止攻击者操作系统的这种干扰。通过从用户空间区(通常使用libpcap)监听数据包,并建立/发送原始答复数据包,来代替攻击者的拒绝服务客户端处理所有这些。
Using the initial sequence number and other information from the SYN/ACK, Attacker sends an acknowledgment packet (the final step of the 3-way handshake) to complete the connection.”
使用SYN/ACK中的初始序列号和其它信息,攻击者发送一个确认包(3次握手的最后一步)来完成连接。
Robert Lee’s reply
Robert Lee的回复
Robert Lee was quick to point out on his Blog site that Fyodor isn’t exactly correct:
Robert Lee在其博客网站上迅速指出Fyodor不是非常正确:
“In regards to Fyodor’s article: There are some really valid points made. While his article does describe some of how sockstress works and why it is efficient, it does not describe our attacks.
关于Fyodor的文章:里面确实有一些切实的要点。尽管他的文章描述了一些sockstress如何工作和为何有效的内容,但并不能说明我们的攻击。
《endurer注:1、In regards to:有关...》
Jack [Robert’s partner] would like to stress that turning off server side SYN-Cookie protection will not help and will only make you open to syn flood attacks again (as stated in Fyodor’s article).
Jack[Robert的搭档]想强调,关闭服务器端SYN-Cookie保护于事无补,并且只会使你再次开放syn洪水攻击(如Fyodor文章所述)。
Also, scenarios that lead to systems being resource starved to the point of requiring a reboot is very attack and target specific. It is not as universal as causing a specific service to become unavailable. We have made this clear in all public communications, but it is worth saying again.”
此外,导致系统资源耗尽至需要重新启动的地步的场面,这是非常袭击和具体目标。它不像造成一个特定服务变成不可用那样普遍。我们已经在所有公共通信中明确了这一点,但它值得一提。
Fyodor has some sage advice
Fyodor有一些明智的建议
When someone asked Fyodor if he knew whether his bug was the same one found by Louis and Lee, he answered:
当有人问Fyodor,他所知的bug是否与 Louis 和 Lee 相同时,他回答说:
“I don’t, since they have refused to release full details. But this sounds like the same fundamental bug. Robert and Jack are smart fellows, so, again, I’m sure that they’ve found ways to extend and improve the attack in certain situations.”
我不清楚,因为他们拒绝公布全部细节。但这听起来像是同样的基本错误。Robert和Jack是聪明的人,因此,再次,我相信他们已经找到在某些情况下如何扩大和改进的攻击。
Fyodor further explains:
Fyodor进一步解释:
“My main issue is not with the research, per se, but with trying to hype the weakness in press interviews and the like before they are willing to share details about the claimed weakness. I don’t believe that sharing the details would cause any problems on the Internet, as there are already many simple and effective denial of service attacks against TCP services (including those listed on this page). Many of the same techniques used to defend against all the other TCP DoS attacks will work against these newer ones.”
在他们愿意分享所声称的弱点的有关细节前,我的主要论点并非研究per se,而是在新闻采访和相似场合中试图炒作弱点。我不认为共享细节会在互联网上引发任何问题,因为已经有许多简单而有效攻击TCP服务的拒绝服务(包括列在此网页的那些) 。许多用来抵御所有其他的TCP DoS攻击的相同的技术将会用来抵御这些新的攻击。
《endurer注:1、be with:伴随(支持)》
Possible solutions
可能有效的解决方法
Since many of the details are still unknown, experts are advising to treat this as a typical DoS attack and block the responsible IP address. Sockstress apparently isn’t capable of IP spoofing, so blocking the IP address should work. Experts also mention that IDS/IPS software (like IPtables or Snort) should be able to detect the attack vector and prevent malicious TCP/IP connections.
因为一些细节仍然未知,专家们建议将这视为典型的拒绝服务攻击,并封锁涉及的IP地址。sockstress显然没有IP欺骗能力,因此拦截IP地址应该有效。专家们还提到,入侵检测/入侵防御软件(如IPtables或Snort的)应能够检测攻击,并防止恶意TCP/IP连接。
Final thoughts
结语
Between Kaminsky’s bug, the BGP vulnerability, and now DoS attacks aimed at TCP/IP stack flaws, it sure has been interesting lately. Adding to the excitement is the controversy about how Louis and Lee released their findings (prematurely according to some). In their defense, it’s my understanding that Louis and Lee have tried since 2005 and are presently working with the appropriate TCP/IP developers to find a solution.
在Kaminsky发现DNS的bug, BGP缺陷,和如今的瞄准TCP/IP栈溢出的拒绝服务攻击中,这已肯定在近期是有趣的。加之关于Louis 和 Lee如何公布他们发现的争议(或许早了些)是令人兴奋的 。在他们的防御方面,我的理解是,Louis 和 Lee自2005年以来就试图与适当的TCP/IP协议开发者合作,来找出解决办法。
《endurer注:1、2008年7月初,IOActive的Kaminsky 公布了 DNS 系统的一个非常严重的漏洞,该漏洞会导致攻击者轻松地伪造任何网站。
2、BGP(Border GatewayProtocol)是一种在自治系统之间动态交换路由信息的路由协议。日前,Juniper公司发布一个安全公告,提醒用户注意JUNOS上的一个bug。据报告,这个bug在处理边界网关协议(BGP)流量的过程中导致了问题出现。根据英国IT博客The Register透露,该bug导致畸形的数据包引起“接口翻动(Interface flapping),” 即网络设备接口在up和down状态间快速摇摆不定。》
Once again, it seems like there’s not much we can do; hopefully this will be another example where just knowing about the vulnerability will be helpful. Still we have to wait a few weeks before that can happen as Louis and Lee aren’t talking until T2′08, an international security conference in Helsinki, Finland. So until then.
再次,好象有没有什么我们可以做的;希望这将是另一例子,刚刚知道的缺陷将是有益的。不过我们必须等待几个星期,之前Louis 和 Lee可能不会讨论此事,直到T2'08 ,一个在芬兰首都赫尔辛基召开的国际安全会议。因此,等到那时罢。
——————————————————————————————————————-
Michael Kassner has been involved with communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer for Orange Business Services and consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.
从业余无线电( K0PBX )到和现在作为Orange商业服务的一个网络领域工程师和MKassner网顾问,Michael Kassner与通讯打了40多年的交道了。目前通过的认证包括思科ESTQ域工程师、CWNA和 CWSP。
《endurer注:1、Orange Business Service(OBS)的前身是Equan(易广电信)。2006年6月,OBS正式成为法国电信集团旗下企业服务的统一品牌。目前,OBS已经不完全是传统的基础网络运营商,在关注基础网络运营核心的基础上,开创了很多与IP、IT以及从传统电信行业衍生的相关服务。
2、ESTQ方法:一种面向检测的网络攻击分类方法
3、CWNA:Certified Wireless Network Administrator
4、CWSP:Certified Wireless Security Professional 》