Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

DoS alarm sounded over server flaw

From: InfoSec News <isn () C4I ORG>
Date: Sun, 3 Dec 2000 23:37:07 -0600
http://www.zdnet.com/zdnn/stories/news/0,4586,2660317,00.html

By Robert Lemos, ZDNet News
December 1, 2000 5:19 PM PT

Security consultant BindView Corp. has announced that a widespread
flaw in the way that servers handle Internet traffic could result in
so-called denial-of-service attacks similar to the ones that plagued
the Web last February.

The idea is nothing new: Send data to a server in a certain way so
that the computer reserves memory and processor time for the
connection -- and repeat many, many times. When the server runs out of
memory or slows down to a crawl, certain functions will stop
responding.

And like other denial-of-service attacks, this one is hard to stop,
because the traffic is not easily differentiated from the data that
normally traverses the Net.

"It is not impossible to defend against when (operating-system makers)
take it seriously -- which they are," said Bob Keyes, the BindView
security engineer that found the problems.

'Bug the vendors' "By having enough resources, the
resource-deprivation attack is much less likely to succeed," said
Keyes. "Also, bug the vendors for a fix."

The flaw affects Microsoft's Windows NT, Novell, Solaris, and Linux
servers as well as Windows 9x and Me. Windows 2000 is not affected.

BindView notified Microsoft Corp. of the problem in June and submitted
an advisory to the Computer Emergency Response Team at Carnegie Mellon
University in October. Both organizations released alerts on Thursday.

"A lot of attention was paid, during the course of Windows 2000
development, to these sorts of network robustness issues," said Steve
Lipner, manager of Microsoft's Security Response Center. "This is a
place where that attention to detail paid off."

'Naptha' on the attack BindView also provided an attack tool, dubbed
"Naptha," to the organizations to test their software for the family
of flaws.

"We are sort of in a bind," said Keyes. "We want to make sure that
people know -- and can test -- what's out there, but on the other
hand, we don't want to tip our hands so that the bad guys can write a
program that can do this."

The Naptha tool was not publicly released and has an identifier -- a
line from a B-52s song -- in the packet it sends as part of the
attack, in case it gets leaked to the public.

"A lot of people are going to say that this is a known problem,
because it is just resource starvation," said Weld Pond, a
hacker-cum-security-researcher at @Stake Inc. "But it's one that needs
to be fixed."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: