Internet Security Systems - AlertCon(TM)

SockStress Vulnerabilities Patched

Posted by Tom Cross on September 09, 2009 at 5:55 PM EDT.

About a year ago there was a great deal of buzz in the security scene surrounding a denial of service tool called SockStress. The authors of the tool, Jack C. Louis and Robert E. Lee, had given a media interview in which they warned that the tool was capable of launching devastating attacks and promised to provide technical details to the public at an upcoming security conference. This combination of a dire warning coupled with a lack of detail sparked a great deal of controversy and speculation, particularly because the announcement was made shortly after Dan Kaminsky's DNS cache poisoning vulnerability was disclosed at Blackhat. Dan's vulnerability was patched about a month before he was scheduled to disclose it, and there was a great deal of speculation leading up to his talk which culminated in an accidental leak of the technical details on the Internet. 

The controversy surrounding SockStress was driven by uncertainty about how much risk the attack posed to the Internet, as well as uncertainty about the novelty of the research. The vague information that Louis and Lee had revealed about their tool seemed to point toward a resource exhaustion denial of service attack. Those kinds of attacks have been proposed in the past and there is on going work in the IETF on making TCP stacks more resilient to them. In fact, an Internet draft from 2007 titled "TCP Robustness in Persist Condition" addresses a problem that seemed very similar to the attack that Louis and Lee were describing in the press. 

In general, TCP resource exhaustion attacks are relatively easy to defend against. Consider the FIN/WAIT attack, which was popular 8 or 9 years ago and is still seen sometimes today. The attacker pins up a large number of TCP sessions to the victim host, and then sends FIN messages on each of those sessions, starting the connection tear down process. The victim will respond to the attacker's FIN with an ACK, and another FIN, and then it will wait around for the attacker to send a final ACK to it's FIN. The attacker never does. Old TCP implementations would keep sessions around in this state for up to 10 minutes! It was easy for an attacker to get a large number of sessions stuck this way and cause the server to stop responding to new requests.

The attacker has to have fully interactive TCP sessions with the victim host in order to pull this off, so under most circumstances the attack cannot be spoofed. In order to mitigate the attack the victim need only identify the source addresses launching the attack and block traffic coming from those addresses. This is true for most kinds of TCP resource exhaustion vulnerabilities, so many security experts consider this to be a solved problem. 

I think its a bad idea to belittle the issue - We do see attacks like this launched against small websites and it can be a hassle, particularly for operations that don't have a lot of security sophistication, or when the attacks are launched from a botnet. Identification and remediation of new kinds of resource exhaustion vulnerabilities is not a waste of effort, particularly in cases where attackers can tie up servers with a relatively small amount of bandwidth. 

However, based on the claims that Louis and Lee were making in the press, it seemed like there might be something more to their research than this. The computer industry collectively reached out to them through CERT-FI, and they did the responsible thing, sharing their research results with the industry while curtailing the amount of technical detail they were sharing with the public. Sure enough, a number of popular TCP implementations experienced catastrophic failures when exposed to SockStress. These problems did not necessarily clear up when the attacks stopped, which is what you'd expect from a resource exhaustion scenario. Louis and Lee had uncovered some new vulnerabilities.

The bottom line is that when you expose complex software systems to unusual conditions, sometimes you find unexpected bugs. This has always been a basic tenet of security vulnerability research. 

On Tuesday a number of vendors released updates in a coordinated fashion to fix the SockStress issues, as well as some other vulnerabilities that we're guessing were uncovered in the process of investigating SockStress. The Remote Code Execution issue that Microsoft patched is particularly important, as you can't firewall off TCP and provide services to the Internet. We think its unlikely that a code execution exploit will be released for it, but the risk of a blue screen is bad enough for people who run Internet services. Its a good thing that these vulnerabilities were discovered and patched without any in-the-wild exploitation. 

These announcements represent a good example of responsible disclosure. Louis and Lee did the right thing by sharing their results privately with the computer industry and the industry was able to work together across competitive boundaries to investigate the issues and coordinate disclosure successfully. The announcements are also vindicating for Louis and Lee. Unfortunately, Louis passed away in March and never got to see these patches being delivered.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.