W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: Hostile webserver attack!!!!

From: Harold A. Driscoll <harold@driscoll.chi.il.us>
Date: Sat, 28 Dec 1996 09:41:40 -0600
Message-Id: <3.0.32.19961228092554.007bac40@pop.interaccess.com>
To: Erez Levin <erezl@dingo.co.il>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Regarding the "SYN flooding" episodes, here are abstracts from two security
advisories on the topic, the second one covering both "SYN flooding" and
"Ping of Death" episodes. I've snipped out most of the interesting details
(in the interest of message size), but have (of course) included the URLs
of the resource sites in question. Each of these resources (CERT and CIAC)
now have several bulletins on these topics which will likely be of
interest. I've just picked representative samples.

Two comments seem worth noting...
  * There are very serious ethical issues here... in the "SYN flooding"
case an "underground" magazine provided source code which would allow many
with only a limited understanding of the technology to do dastardly things.
Many people are outraged with the publication of the source code. But it
gets even worse with the "Ping of Death" issue... here we have a major
software vendor releasing binaries which exploit a vulnerability of many of
their competitors and others' products, including many key parts of the
Internet. Further, this capability is available to _any_ user of such
products, no need for either basic knowledge of using a compiler, much less
"root" or "administrator" access. Have our ethics sunk so low that such is
an acceptable (or even legal) way for a large corporation to enter the
Internet market...something painful to even think about. And no doubt more
appropriate forums than this to discuss in depth.
  * These are TCP/IP issues, not HTTP... to the extent that they impact
drastically on use of HTTP (and the question has been raised) I'm posting
this information, with the intent to provide resources to concerned folks,
and with the hope of helping close off the thread on this list.

Date: Thu, 19 Sep 1996 16:45:30 -0400
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-96.21 - TCP SYN Flooding and IP Spoofing Attacks
Organization: CERT(sm) Coordination Center -  +1 412-268-7090

=============================================================================
CERT(sm) Advisory CA-96.21
Original issue date: September 19, 1996
Last revised: --
             
Topic: TCP SYN Flooding and IP Spoofing Attacks
-
-----------------------------------------------------------------------------
           *** This advisory supersedes CA-95:01. ***

Two "underground magazines" have recently published code to conduct
denial-of-service attacks by creating TCP "half-open" connections. This code
is actively being used to attack sites connected to the Internet. There is,
as yet, no complete solution for this problem, but there are steps that can be
taken to lessen its impact. Although discovering the origin of the attack is
difficult, it is possible to do; we have received reports of attack origins
being identified.

Any system connected to the Internet and providing TCP-based network services
(such as a Web server, FTP server, or mail server) is potentially subject to
this attack. The consequences of the attack may vary depending on the system;
however, the attack itself is fundamental to the TCP protocol used by all
systems.

If you are an Internet service provider, please pay particular attention to
Section III and Appendix A, which describes step we urge you to take to
lessen the effects of these attacks. If you are the customer of an Internet
service provider, please encourage your provider to take these steps.

This advisory provides a brief outline of the problem and a partial solution.
We will update this advisory as we receive new information. If the change in
information warrants, we may post an updated advisory on
comp.security.announce
and redistribute an update to our cert-advisory mailing list. As always, the
latest information is available at the URLs listed at the end of this
advisory.

- ---------------------  << very big sinp  >>
--------------------------------------------

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/


>Date: Tue, 10 Dec 1996 22:09:08 -0800 (PST)
>Originator: ciac-bulletin@cheetah.llnl.gov
>Sender: ciac-bulletin@cheetah.llnl.gov
>From: crawford@eek.llnl.gov (David Crawford)
>To: harold@driscoll.chi.il.us
>Subject: CIAC Bulletin H-12: IBM AIX(r) 'SYN Flood' and 'Ping o' Death'
Vulnerabilities 
>             __________________________________________________________
>
>                       The U.S. Department of Energy
>                    Computer Incident Advisory Capability
>                           ___  __ __    _     ___
>                          /       |     /_\   /
>                          \___  __|__  /   \  \___
>             __________________________________________________________
>
>                             INFORMATION BULLETIN
>
>           IBM AIX(r) 'SYN Flood' and 'Ping o' Death' Vulnerabilities
>
>December 10, 1996 19:00 GMT                                        Number
H-12
>___________________________________________________________________________
___
>PROBLEM:       Two vulnerabilities have been addressed: (1) The SYN Flood
>               Attack, and (2) The Ping o' Death Attacks
>PLATFORM:      IBM AIX 3.2.5, 4.1.x, 4.2.x
>DAMAGE:        The SYN Flood attack allows the bombarding of a system with
>               dozens of falsified connection requests a minute that can
>               seriously degrade its ability to give service to legitimate
>               connection requests. This is why the attack is said to "deny
>               service" to the system's users. Unlike the SYN flood attack,
>               the Ping o' Death problem is due to the implementation of
>               fragmented packet reassembly, and is thus relatively easy to
>               fix.
>SOLUTION:      Install the newly available patches indicated below.
>___________________________________________________________________________
___
>VULNERABILITY  Both vulnerabilities have been widely published on the
Internet
>ASSESSMENT:    and elsewhere.

- ---------------------  << very big sinp  >>
--------------------------------------------

>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
>   World Wide Web:      http://ciac.llnl.gov/
>   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
>   Modem access:        +1 (510) 423-4753 (28.8K baud)
>                        +1 (510) 423-3331 (28.8K baud)
>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Harold A. Driscoll                       mailto:harold@driscoll.chi.il.us
#include <std/disclaimer>      http://homepage.interaccess.com/~driscoll/
Received on Friday, 3 January 1997 15:11:46 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:25 EDT