Re: The "Mac DoS Attack," a Scheme for Blocking Internet Connections

[Joel Jaeggli]

On Thu, 30 Dec 1999, Paul Schinder wrote:

> On Wed, 29 Dec 1999 11:07:03 -0500, John Copeland wrote:
> >
> >* Then help get the word to owners of Macintoshes connected to cable
> modems,
> >ADSL modems, or LANs to install the patch that Apple has developed
> >(http://asu.info.apple.com/swupdates.nsf/artnum/n11559).
> >
> >
> The initial Apple patch for this problem fails for a variety of machines.
> See http://www.macintouch.com for some user reports. The patch disabled
> TCP/IP on my iBook when using a dial-up PPP connection, so I had to remove
> it. As of the last time I checked, afternoon Dec 29. a revised patch had
> not appeared.
>
> Has anyone checked Apple's non-MacOS machines?

it appears to be an issue only with open transport 2.5.2 which is only
present in os9 and os8.6 on select machines (g4's with os 8.6 slot loading
imacs etc).

> I'm not worried much about
> the Newton I'm writing this on, since it only goes online occasionally on
> a dialup. But our Airport, which fronts for the iBook when it's at home,
> is on our house LAN connected to our cable modem. Do the Airports have the
> same problem? How about MacOS X server and Darwin?
>

airports, shouldn't, the Ibook probably will since it has os9, but it
should be behind the airport nat.

>
> 
> Paul J. Schinder
> NASA Goddard Space Flight Center
> Code 693
> Greenbelt, MD 20770
> [EMAIL PROTECTED]
>

--
Joel Jaeggli   [EMAIL PROTECTED]
Academic User Services   [EMAIL PROTECTED]
 PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--
It is clear that the arm of criticism cannot replace the criticism of
arms.  Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.

Re: The "Mac DoS Attack," a Scheme for Blocking Internet Connections

[der Mouse]

> [...new(?) smurf-style DoS attack...]

> Prevention
> [...]
> The Internet Service Providers (ISPs) must take action to drop long
> ICMP packets in the backbone networks (any packet longer than 1499
> bytes, at least).

This strikes me as a very bad idea.  It's rather like saying, NFS can
be used to attack insecure machines, so let's block NFS packets on
long-haul links: yes, it's true that such attacks are possible, but the
facility is useful and the *correct* thing to do is to secure the
insecure machines, not break the (useful) underlying facility for
everyone else.  (Rather like the SSRR and LSRR IP options, though I
realize *that* fight was in practice lost long ago.)

der Mouse

   [EMAIL PROTECTED]
 7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Re: The "Mac DoS Attack," a Scheme for Blocking Internet Connections

[Marc Farnum Rendino]

At 9:46 AM -0500 on 99/12/30, Paul Schinder wrote:


>The initial Apple patch for this problem fails for a variety of machines...

Please note that the current info says that the problem exists only
in certain configurations and that the patch applies only to those
machines.

 From the Apple article on the subject
:

>...This tuner is only recommended if you are connected to the
>Internet all the time and have a static IP address. If you obtain
>your IP address dynamically (from DHCP for example) or if you
>connect to an Internet Service Provider via a modem, your machine is
>not likely to be involved with DoS issues...
>
>OS Required
>Mac OS 9; Mac OS 8.6 for PowerMacintosh G4, iBook, and iMac
>(Slot-loading) computers.
>Note: This is only for Mac OS 8.6 if you have one of the three
>computers mentioned above. It is for all Mac OS 9 users...

Many of the reports of difficulties with "OT Tuner" seem to be coming
from folks for whom installation is not recommended.

- Marc
--
Seeking to challenge and be challenged in systems engineering and/or
software engineering. Systems of preference: Mac and Unix.
Resume: 

Re: The "Mac DoS Attack," a Scheme for Blocking Internet Connections

[Paul Schinder]

On Wed, 29 Dec 1999 11:07:03 -0500, John Copeland wrote:
>
>* Then help get the word to owners of Macintoshes connected to cable
modems,
>ADSL modems, or LANs to install the patch that Apple has developed
>(http://asu.info.apple.com/swupdates.nsf/artnum/n11559).
>
>
The initial Apple patch for this problem fails for a variety of machines.
See http://www.macintouch.com for some user reports. The patch disabled
TCP/IP on my iBook when using a dial-up PPP connection, so I had to remove
it. As of the last time I checked, afternoon Dec 29. a revised patch had
not appeared.

Has anyone checked Apple's non-MacOS machines? I'm not worried much about
the Newton I'm writing this on, since it only goes online occasionally on
a dialup. But our Airport, which fronts for the iBook when it's at home,
is on our house LAN connected to our cable modem. Do the Airports have the
same problem? How about MacOS X server and Darwin?




Paul J. Schinder
NASA Goddard Space Flight Center
Code 693
Greenbelt, MD 20770
[EMAIL PROTECTED]

Re: The "Mac DoS Attack," a Scheme for Blocking Internet Connections

[Alan Cox]

> The Internet Service Providers (ISPs) must take action to drop long ICMP
> packets in the backbone networks (any packet longer than 1499 bytes, at
> least).

This will break existing "good behaviour" legal systems and potentially
disrupt MTU discovery proceedure. It isnt a feasible option without a lot
of additional checks to the packet type etc, at which point with many routers
the firewall rules involved turn into a performance based DoS on the core
routers.


Alan

The "Mac DoS Attack," a Scheme for Blocking Internet Connections

[John Copeland]

SecurityFocus,

* I have discovered that Macintosh computers running OS9 can be used to
direct a stream  of 1500-byte ICMP datagrams at a target on the Internet.

* These ICMP datagrams or triggered by 40-byte datagrams, so one
"controller" computer with a 1.3 Mbps Internet connection can focus the
output of 37 slaves (combined output 45 Mbps) and block a DS-3 link.

* Please read the story below and see more verification evidence on one of
the Web pages http://csc.gatech.edu/~copeland or
http://people.atl.mediaone.net/jacopeland.  Also see the advisories at 
http:[EMAIL PROTECTED] and http:[EMAIL PROTECTED].

* Then help get the word to owners of Macintoshes connected to cable modems,
ADSL modems, or LANs to install the patch that Apple has developed
(http://asu.info.apple.com/swupdates.nsf/artnum/n11559).

*If you are a known responsible researcher, I can give you the C-code used
to scan for OS9 Macintoshes, and the C-code to excite them into attack
mode.

John Copeland (please send email to 2 addresses, [EMAIL PROTECTED] and 
[EMAIL PROTECTED]).
Voice Mail: 404 894-5177
=========

The "Mac Dos Attack," a Scheme for Blocking Internet Connections

By John A. Copeland
Professor, Georgia Tech ECE
Atlanta, GA 30332-0490

More information: http://people.atl.mediaone.net/jacopeland

As part of my ongoing research on Internet data communications and
cable modem operations, I have been using a second computer to monitor
the data packets that travel between my cable modem and Macintosh
computer at my home.

Internet <---> CATV coax <---> Cable Modem <---> Mac Computer
  or ADSL Modem  |
 V
  Monitor Computer

I noticed some strange packets that were causing an unexpected response
from my MacIntosh.  These UDP packets were only 29 bytes (characters)
long, but they caused my Macintosh to send back a 1500 byte packet.
This returning packet was an Internet Control Message Protocol (ICMP)
packet, a type that sometimes has priority over the TCP and UDP packets
that carry  data from computer to computer over the Internet.
Over the period Nov. 28 to Dec. 22 I saw these packets on five
occasions.  The first three came from Italy, Duke University, and the
Gulf via South Africa.  The latter two came from the same computer in
the Arab Emirates.  These packets were "crafted," which means the data
in them was not normal. The first three had source and destination port
numbers (UDP addresses) fixed at 31790 and 31789.  These numbers are
normally random between 1024 and 65,565.  The latter two had port
numbers of 60,000 and 2140.

I developed a concept of how these probe packets could be used
as part of a scheme to shut down organization's connections to the Internet.
To prove this scheme is feasible, I successfully wrote and tested
programs to implement the scheme which is described below.

The purpose of this scheme, which I call a "Mac Attack," is to generate
a large amount of ICMP Internet traffic going to a specific target.
This scheme can be easily replicated to attack many different targets,
with little chance that the perpetrators will be caught.

Phase I - Scanning

A computer runs a program that sends UDP packets to every Internet
address in the range of addresses that are assigned to CATV cable
modems and to ADSL modems.  Addresses that have Macintosh computers
attached and turned on will respond with the 1500-byte ICMP packet.
These addresses are kept in a list for Phase 2.  I will call the
Macintosh computers at these addresses "slaves."

Phase 2 -  Attack

A computer at a location like Duke University is "root compromised."
This means the aggressor group has used one of the many well-known
techniques to gain the administrator password so they can load their own
programs, which may be scheduled to run at a later time (like Christmas
Eve or New Year's Eve).  The compromised computer is given a list of
addresses for 40 slaves, and the address of a specific target.  The log
files are erased so that no one will later be able to tell who
installed the attack program.

When the attack program starts running, it sends trigger packets in
rotation to the forty slaves on its list.  The source (return) Internet
address is forged to be that of the target.  The forty slaves then send
a 1500 byte ICMP packet to the target each time they receive a 40-byte
trigger packet.

If the attack computer sends 3000 40-byte trigger packets per second
(bit rate less than 1 Mbps), the slave will send 3000 1500-byte packets
to the target (bit rate 45 Mbps).

 |---> Slave -->|
Control  |---> Slave -->|
Computer --->|---> Slave -->|---> Target
 |---> Slave -->|
 |   * * *