[nsp-sec] Potential TCP / IP vulnerabilities announcedmidOctober - Outpost24 interview
Chris Morrow
morrowc at ops-netman.net
Wed Oct 1 12:06:11 EDT 2008
On Wed, 1 Oct 2008, Florian Weimer wrote:
>> We would like to hear more on these types of mitigations for
>> existing attacks.
>
> And we would like to hear more about their work (particularly speaking
> with my spare-time vendor hat).
so far the podcast seems like they say:
40pps to initiate (depending on the platform)
10pps to keep a service down
'no way to see this in normal admin tools' (though they don't talk about
things like 'netstat -an' ... they mention top/memory-utilization)
The podcast seems to talk about naptha, I agree... I suspect it's a flavor
of Naptha (as other's have said) The interviewer seems to keep coming back
to 'syncookies' quite a bit, though the interviewee's are pretty clear
that this is something that happens POST 3-way handshake.
One can imagine something like: "connect, send a data packet then either
not ack packets so force retrans + hold open state on the server side"
Since they explicitly say that the client side holds no state in their
scanner, Naptha/naptha-like attacks seem quite probable.
There's a bunch of FUD in this though :( "worst incident we created was a
box that rebooted from the attack and came up with a 'cant find OS' error"
Obviously the example box had many other issues before the attack...(or
it seems obvious to me that's the case here)
and their "tcp/ip is broken beyond repair..." :( ...FUD... :(
I agree with Florian here, we need more data, this is all guesswork based
on a horrid interview and article/blog-note.
-Chris
More information about the nsp-security
mailing list