fyodor on the recent tcp/ip dos attack scare

I had mentioned just yesterday about new rumors of a “big deal” TCP/IP implementation weakness that could result in a low cost DOS. Fyodor has posted a write-up on this situation including what he guesses is the “big deal” the authors are talking about.

Like Robert and Jack, I was stunned at how effective these techniques are at quickly taking down services. The basic attack starved web servers from servicing legitimate requests, and slightly more complex variants would sometimes take down the remote OS entirely.

I gutted this section since I actually misunderstood a couple things including Fyodor’s attack descripton. If this sounds like a pretty typicaly DOS, you wouldn’t be mistaken. This is just about opening and completing TCP connections and then either keeping those sockets open until they time out, or requesting more interesting things like large files over and over. Basically, simple resource exhaustion.

Interestingly, the researchers supposedly found this problem by scanning a huge range of internet addresses. It could follow that they scanned sequential blocks that were being served by the same network device or server, thus simply starving it of resources.

Fyodor admits he doesn’t know for sure that this is the new attack that has broken across the media waves, but it certainly does make sense. Then again, perhaps the researchers have discovered some new variant or way to do this more elegantly, or to better ensure actually taking down the target fully.