The "Mac DoS Attack," a Scheme for Blocking Internet Connections

[jacopeland () ATL MEDIAONE NET (John Copeland)]

SecurityFocus,

* I have discovered that Macintosh computers running OS9 can be used to
direct a stream  of 1500-byte ICMP datagrams at a target on the Internet.

* These ICMP datagrams or triggered by 40-byte datagrams, so one
"controller" computer with a 1.3 Mbps Internet connection can focus the
output of 37 slaves (combined output 45 Mbps) and block a DS-3 link.

* Please read the story below and see more verification evidence on one of
the Web pages http://csc.gatech.edu/~copeland or
http://people.atl.mediaone.net/jacopeland.  Also see the advisories at sans () sans org">http://sans () sans org</A> 
and cert () cert org">http://cert () cert org</A>.

* Then help get the word to owners of Macintoshes connected to cable modems,
ADSL modems, or LANs to install the patch that Apple has developed
(http://asu.info.apple.com/swupdates.nsf/artnum/n11559).

*If you are a known responsible researcher, I can give you the C-code used
to scan for OS9 Macintoshes, and the C-code to excite them into attack
mode.

John Copeland (please send email to 2 addresses, jacopeland () mediaone net and jac () csc gatech edu).
Voice Mail: 404 894-5177
=============

The "Mac Dos Attack," a Scheme for Blocking Internet Connections

By John A. Copeland
Professor, Georgia Tech ECE
Atlanta, GA 30332-0490

More information: http://people.atl.mediaone.net/jacopeland

As part of my ongoing research on Internet data communications and
cable modem operations, I have been using a second computer to monitor
the data packets that travel between my cable modem and Macintosh
computer at my home.

Internet <---> CATV coax <---> Cable Modem <---> Mac Computer
                              or ADSL Modem  |
                                             V
                                      Monitor Computer

I noticed some strange packets that were causing an unexpected response
from my MacIntosh.  These UDP packets were only 29 bytes (characters)
long, but they caused my Macintosh to send back a 1500 byte packet.
This returning packet was an Internet Control Message Protocol (ICMP)
packet, a type that sometimes has priority over the TCP and UDP packets
that carry  data from computer to computer over the Internet.
Over the period Nov. 28 to Dec. 22 I saw these packets on five
occasions.  The first three came from Italy, Duke University, and the
Gulf via South Africa.  The latter two came from the same computer in
the Arab Emirates.  These packets were "crafted," which means the data
in them was not normal. The first three had source and destination port
numbers (UDP addresses) fixed at 31790 and 31789.  These numbers are
normally random between 1024 and 65,565.  The latter two had port
numbers of 60,000 and 2140.

I developed a concept of how these probe packets could be used
as part of a scheme to shut down organization's connections to the Internet.
To prove this scheme is feasible, I successfully wrote and tested
programs to implement the scheme which is described below.

The purpose of this scheme, which I call a "Mac Attack," is to generate
a large amount of ICMP Internet traffic going to a specific target.
This scheme can be easily replicated to attack many different targets,
with little chance that the perpetrators will be caught.

Phase I - Scanning

A computer runs a program that sends UDP packets to every Internet
address in the range of addresses that are assigned to CATV cable
modems and to ADSL modems.  Addresses that have Macintosh computers
attached and turned on will respond with the 1500-byte ICMP packet.
These addresses are kept in a list for Phase 2.  I will call the
Macintosh computers at these addresses "slaves."

Phase 2 -  Attack

A computer at a location like Duke University is "root compromised."
This means the aggressor group has used one of the many well-known
techniques to gain the administrator password so they can load their own
programs, which may be scheduled to run at a later time (like Christmas
Eve or New Year's Eve).  The compromised computer is given a list of
addresses for 40 slaves, and the address of a specific target.  The log
files are erased so that no one will later be able to tell who
installed the attack program.

When the attack program starts running, it sends trigger packets in
rotation to the forty slaves on its list.  The source (return) Internet
address is forged to be that of the target.  The forty slaves then send
a 1500 byte ICMP packet to the target each time they receive a 40-byte
trigger packet.

If the attack computer sends 3000 40-byte trigger packets per second
(bit rate less than 1 Mbps), the slave will send 3000 1500-byte packets
to the target (bit rate 45 Mbps).

                 |-----------> Slave ---------->|
Control          |-----------> Slave ---------->|
Computer ------->|-----------> Slave ---------->|-------> Target
                 |-----------> Slave ---------->|
                 |               * * *          | 4000 1500-byte
4000 40-B pkt/s  100 40-B pkt/s   100 1500-B pkt/s  ICMP pkts/s
                 to each slave    from each slave    48 Mbps

   This figure shows the process of "byte amplification."

The target organization, or organizations, is cut off from the Internet
because it's connection, a 1.5 Mbps (million bit per second) T-1 or a
45 Mbps DS-3 digital line is swamped with ICMP packets from forty
different sources.  Note that 30 different T-1 connections could be
swamped by varying the return addresses in the trigger packets).

Recovery

The FBI would have to approach the CATV company to get the owner's
names and addresses at the forty computers sending ICMP packets to the
target.  Once a slave is located, the trigger packets are examined, but
appear from the Internet source address to be coming from the target.
Tracing spoofed packets (those with a forged source address) back
through the Internet is  practically impossible.  To stop the attack,
most of the slaves would have to be shut down.  Their owners would not
be aware that their Macintoshes were be being used to participate in
the attack.

After a long delay, the attack computer might be located.  There would
be no record of who installed the attack program, which may even have
have detected it's target was operating again and erased itself.

Is this scenario likely?

I can think of no other purpose for the five probing UDP packets I have
detected, four of which came from outside the U.S.  I have written
programs that scan for Macintoshes, and have used just three such
Macintoshes to flood an Internet address with over 1 Mbps of ICMP
packets as described above.

This article omits an essential detail about the trigger packets so it
is not a recipe someone could use for implementation.  Apple Computer
became aware on Dec. 22 of the "unintended feature" in the Macintosh
Internet protocol software that is used, and is working to develop a
patch for Macintosh users.

Prevention

People who own Macintosh computers connected to high-speed Internet
connections, such as a cable modem,an ADSL modem, or a corporate LAN,
should turn off those computers, or disconnect them from the network
when they are not actively using the network connection.  They should
install the OpenTransport software patch available from Apple at
http://asu.info.apple.com/swupdates.nsf/artnum/n11559.

Many organizations now discard incoming ICMP Echo-Request packets at
their Internet Firewall (to keep hackers from scanning their network).
This will not stop the UDP scanning packets described above, and will
not protect them if the incoming ICMP packets jam their connection.

The Internet Service Providers (ISPs) must take action to drop long ICMP
packets in the backbone networks (any packet longer than 1499 bytes, at
least).

Contact Information

The Georgia Tech network is being shut down over the Holiday break, so
my normal email address and Web page will not be available.

Please send email.  I will check voice mail left at my office: 404 894-5177.

Please send email to: jacopeland () mediaone net

This Web site will be used while the Georgia Tech network is down:
http://people.atl.mediaone.net/jacopeland

For my biographical information see:
http://people.atl.mediaone.net/jacopeland/jac_bio.htm