Robert E. Lee Discusses TCP Denial of Service Vulnerability with SC Magazine
In the October 6th edition of the SC Magazine Podcast, Robert E. Lee of Outpost24 discusses the TCP Denial of Service vulnerability that was partially disclosed last week. I previously posted a transcript of an earlier podcast discussing the TCP Denial of Service vulnerability, and was asked to make a transcript of this more recent discussion available.
The full text of the SC Magazine interview follows.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dan Kaplan: Hello everyone, and welcome to the SC Magazine podcast for the week of October 6th. I am your host Dan Kaplan, Senior Reporter at SC Magazine. And today we are pleased to be joined by Robert E. Lee, who is the Chief Security Officer of Outpost24, and that’s a security firm based in Sweden. And Robert and another researcher there have made a potentially very big vulnerability discovery that could affect any device that accepts TCP connections.
So, something potentially pretty devastating there, and Robert, we are pleased for you to join us. So, thanks for being with us.
Robert Lee: It’s my pleasure. I’m glad to be here today.
Dan Kaplan: For our listeners, you know, talk a bit about exactly what TCP is and how a vulnerability like this might affect, you know, them — the average user.
Robert Lee: Well, TCP is one of the many protocols that your computers that are on the internet are using to communicate with one another.
And what this vulnerability is really getting at is when you try to make a service available, let’s say that you’re trying to run a web server, you’re trying to run a mail server — something that you expect a lot of anonymous third-parties to try to connect to. What we’re seeing with this vulnerability is just the very act of making that service available, you could potentially have people that want to make that service unavailable tie up all the resources to make it so that the legitimate people that you would normally want to serve web pages or communicate email with can no longer talk to your service.
Dan Kaplan: And tell me what that can mean. That means that a device could potentially be taken down? Does it mean that something as big as a data center can come down?
Robert Lee: Well, OK, so there’s been quite a bit of overhype on this issue. In the most simple form, what we’re talking about is simply saying this service that you tried to make available to everyone on the internet is now no longer available to anyone.
There are some additional attack types that we’ve been working on that can more devastatingly affect the system. So, there are ways now that we’ve established through communication we can trick the kernel into getting into different timing states where it’s taking up kernel memory, and system memory in some cases- depending on the application that we’re actually interacting with, to the point where the entire system could need a reboot before it could start functioning again, before it actually can communicate on the network again. And, in some cases, we can actually get a device, depending on the actual operating system and the application that we’re interacting with, we can actually get a device to reboot itself.
So, it does range in severity, all the way from the most basic level of this service that you were trying to make available is no longer available, all the way up to a system that needs to be rebooted.
Dan Kaplan: Now, is this something, you know, theoretically if this vulnerability were to be exploited, is it something that is targeted meaning, you know, it would be one person trying to establish a TCP connection that, you know, can’t be closed - or is this something that could affect huge numbers of people all at the same time?
Robert Lee: I would guess that it would be more targeted. We don’t really know that for sure because we haven’t really tried to put on our attacker goggles for this issue yet. We’re still in a very scientific method trying to say, OK, we sent this very small stimulus and we’re measuring this response from the other side.
And so, that’s the extent of our research right now. We have not taken this into a large-scale, weaponized, exploit proof of concept form, but in our labs for every device that we set up, no matter what type of device it’s been so far, if it’s running a TCP service on the smallest scale, on the more- in a universal way- any service that’s available we can easily take offline.
Now, that in and of itself doesn’t seem like that big of a claim because as Fyodor and some other people have been posting online, that’s been true for a while in lots of different ways. In fact, there are even ways where with a bash script and a dummy kit you can if you know a computationally expensive page to ask for on the remote side, you could script that to where you’re constantly barraging it and hitting CPU limits on the other side if you know exactly what page you’re asking for. But those are all very simplistic ways of thinking about the attacks that Jack has actually discovered.
What we’re doing is very, very pinpointed for the stacks that we’re interacting with. So, I think to think about it in those terms. We’re not getting any new level of unavailable other than, you know, again, the service that you’re trying to interact with isn’t available and it stays unavailable until the system is rebooted. That’s the biggest difference between the more simple attacks and the advanced attacks that we’ve been talking about.
Dan Kaplan: Now, what you guys discovered, these advanced attacks, this was something that you almost stumbled across by accident.
Robert Lee: Well, sort of. Jack is the programmer that’s behind Unicornscan program, which is…
Dan Kaplan (interrupting): Jack — I don’t know if I mentioned — Jack Louis is a researcher at Outpost24 who worked with you on this?
If you enjoyed this post, please consider leaving a comment or subscribing to our RSS feed to get future articles delivered to your feed reader. You can also click "Buzz Up" or "ShareThis" above to share this post via email or social networking sites.
[...] The best source for information about the issue is the two podcasts that Robert E. Lee has recently done. CurbRisk has created and posted transcripts of the original podcast with a Dutch blog, as well as a followup with SC Magazine. [...]