Re: TCP Resource Exhaustion Attacks

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 2 Oct 2008 13:55:05 -0700
doug () hcsw org wrote:

> Hi all,
>
> I initially discounted this as a hoax because of the following
> news article:

Same here.  I'm with you that there is likely more here than just a
socket resource exhaustion attack.

Robert responded to Fyodor's post here:

http://blog.robertlee.name/2008/10/conjecture-speculation.html

Among other things, he writes:

"In regards to Fyodor's article:
There are some really valid points made; While his article does
describe some of how sockstress works and why it is efficient, it does
not describe our attacks."

We all know about socket pool exhaustion and Fyodor is clearly an
expert on the subject.  Robert isn't stupid enough to re-brand that
attack and hype it up as something new.  He still has something of a
reputation to keep up.

Now, I'm not holding my breath that this attack is some new way to 0wn
the !nt3rweb$ but I think that there has to be some clever aspect to it
that improves upon what everyone has known for years.

I think the only reason why a Nmap user or Nmap dev should care is that
if vendors start modifying their TCP/IP attacks to either patch a real
bug, or look like they patched a bug, a lot of OS fingerprints are
likely to need to be added.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkjlOMMACgkQqaGPzAsl94IACQCffPYRfqfOA9CjLZoixF8DQnjN
k/sAoIXeiB+G9JlSL9ce6KZ4dBxddDBQ
=Zn71
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org