Bugtraq mailing list archives
Re: DOS attack against HP JetDirect Printers
From: bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)
Date: Mon, 24 Apr 2000 14:15:13 -0700
This may be related to a previously-known issue regarding multiple connections. Try a 'nmap -sT -PT -M 1' and see what happens. The scan should be the same as previous but limit concurrent connections to one. According to the nmap docs I've got the default is 50.
From an ISS advisory (Dec 10, 1998)
http://www.securityfocus.com/advisories/526 ---- Syn "Dripping": Even though the JetDirect cards are not subject to syn flooding per se, due to the single threaded TCP/IP stack, even a single SYN packet can lock up the older interface for a significant period of time (tens of seconds to as much as a minute). Thus the printer can be subjected to a denial of service attack by slowly dripping SYN packets with non- responding "from" addresses directed to the older JetDirect interface. If this is directed at more than one of the JetDirect ports, the interface may lock up, as in the repeated rapid port scanning DoS described below. This problem was uncovered at Internet Security Systems during the analysis of other JetDirect problems. Newer multi-threaded versions of the JetDirect interfaces are not vulnerable to this problem. Repeated rapid port scanning: Some scanning tools use parallel port scanning to improve scanning speed. Parallel scanning of multiple ports on the older JetDirect cards has a high probability of causing a complete lockup of the JetDirect network interface. The fact that the DoS is not deterministic, and the failure rate is highly dependent on the timing and speed of the scan, indicates that this is a timing window or race condition in the TCP/IP stack on the older JetDirect. ---- Ben Greenbaum Director of Site Content Security Focus http://www.securityfocus.com
Current thread:
- Re: DOS attack against HP JetDirect Printers Ben Greenbaum (Apr 24)