Re: DOS attack against HP JetDirect Printers

[bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)]

This may be related to a previously-known issue regarding multiple
connections. Try a 'nmap -sT -PT -M 1' and see what happens. The scan
should be the same as previous but limit concurrent connections to one.
According to the nmap docs I've got the default is 50.

> From an ISS advisory (Dec 10, 1998)
http://www.securityfocus.com/advisories/526

----
Syn "Dripping":

Even though the JetDirect cards are not subject to syn flooding per se,
due to the single threaded TCP/IP stack, even a single SYN packet can
lock up the older interface for a significant period of time (tens of
seconds to as much as a minute).  Thus the printer can be subjected to a
denial of service attack by slowly dripping SYN packets with non-
responding "from" addresses directed to the older JetDirect interface.  If
this is directed at more than one of the JetDirect ports, the interface
may lock up, as in the repeated rapid port scanning DoS described below.

This problem was uncovered at Internet Security Systems during the
analysis of other JetDirect problems.

Newer multi-threaded versions of the JetDirect interfaces are not
vulnerable to this problem.

Repeated rapid port scanning:

Some scanning tools use parallel port scanning to improve scanning speed.
Parallel scanning of multiple ports on the older JetDirect cards has a
high probability of causing a complete lockup of the JetDirect network
interface.  The fact that the DoS is not deterministic, and the failure
rate is highly dependent on the timing and speed of the scan, indicates
that this is a timing window or race condition in the TCP/IP stack on the
older JetDirect.
----

Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com