2008/10/2 Peter J. Philipp <[EMAIL PROTECTED]>: > > I listened to the podcast and got the idea that the socket is in ESTABLISHED > state (so after 3 way handshake) and they > mention that a packets PCB resources have timers, and that is what they > exploit. Perhaps you establish the session and > send an HTTP request (pretend it's http) and never ACK the answer that gets > repeated based on the internal timers. It seemed to me they say that some > stop repeating their content and just die. > -p >
I have just listened to the interview as well. They said that they have looked at the source tree of Linux, at their Timer code in the TCP stack. The Linux source code indeed have a comment saying there are states that are bad and the Linux kernel would try to avoid. So the sockstress program was written to work the other way around, to try to get into that bad state as much as possible, and it managed to bring down Linux systems. They then run the same attack against a Windows machine, and it had the same effect as well, so it really seem like a problem in the TCP protocol. In the article it is said that BSD are vulnerable as well, they didn't mention if it was Free or Net or Open... So I guess the question is if OpenBSD have such state in its TCP stack, maybe a code auditing session (whenever it is done next, the next Hackathon?) can look at something like that in the OpenBSD kernel... or maybe the dev already saw this kind of problem and have harden the TCP stack for OpenBSD? -- This e-mail may be confidential. You may not copy, forward or use any part. All disclaimers on the Internet are of zero legal effectiveness. http://www.goldmark.org/jeff/stupid-disclaimers/
