Security Incidents mailing list archives
Re: Stick DOS
From: Cortez <coretez () 8THPORT COM>
Date: Thu, 8 Mar 2001 14:38:49 -0500
Stick will not be released anytime soon for the exception of IDS vendors. Snort causes a problem because releasing the code to snort is basically releasing the code openly. The posting I am responding to was the result of a FOUO that was sent out. I have had a talk with a friend of mine and agreed to release "stick" openly in a couple of month in order to allow vendors to make code modifications they see fit. This FOUO was caused by a pre-release before testing was completed. During testing it was discovered that ISS Real Secure v5.5 would turn itself off via error. I have sent the code to ISS (Chris Rollard) via a friend to insure that it went to a knowledgeable group in ISS. I have on my own accord contacted other vendors, some of which are not affected by this technique. The attack is aimed at stateless IDS and not firewalls. Though I have not tested it against firewalls. The following is a posting that was made yesterday and posted this morning on IDS-Focus. The original posting I was responding to and the referred to paper should give enough description on design and methodology. As pointed out in the IDS Focus group there are a couple of tools that also generate packets and I have not had time to compare their technique to my own. ---------- Posting from IDS-FOCUS ------------- Over the last couple months I've been finishing up work on a tool called stick. I was planning to release a paper in the coming week and the tool in a month or two from now when IDS vendors have had time to make modifications to handle it. The tool uses the Snort rule set and produces a C program via lex that when compiled will produce an IP packet capable of triggering that rule from a spoofed IP range (or all possible IP addresses) into a target IP range. A function is produced for each rule and a loop then executes these rules in a random order. The tool currently produces these at about 250 alarms per second. A Linux based snort will hit 100% CPU and start dropping packets. The stress on recording and disk IO is another problem. ISS Real Secure dies two seconds after the attack begins. This was tested numerous times. Other IDS and even sniffers (especially with DNS lookups) had problems of their own. I will be trying to release the code to IDS vendors over the next couple of months in order for them to make changes they see fit. The tool was initially designed to test bandwidth and stress on IDS, but it obviously can be used in a malicious manner and that is not my intent. A draft paper can be seen at http://www.eurocompton.net/stick/ ... please ignore the spelling and grammar changes. A more technical paper and analysis will hopefully be briefed at Blackhat if DT approves it. Coretez G.
Current thread:
- Stick DOS Curley Mr Eric P (Mar 08)
- Re: Stick DOS Jose Nazario (Mar 08)
- <Possible follow-ups>
- Re: Stick DOS Cortez (Mar 09)
- Re: Stick DOS David Brumley (Mar 09)