Internet community prepares for a "Jolt"

[William Knowles <wk () C4I ORG>]

I had the opportunity to see and hear Lance Spitzer's talk about this
at the Chicago AIP Computer Security SIG back in May and I would
highly recommend any Information Security professionals in the Midwest
to look into the Security SIG the Chicago AIP has.

http://www.egroups.com/group/chicago-security

Cheers!

William Knowles
wk () c4i org


Corporations and firewall vendors are on high alert today following
reports about another potentially destructive denial-of-service (DoS)
tool. A recently released DoS tool called "Jolt 2" can be used to
overwhelm a number of popular commercial firewalls with fragmented IP
packets, causing near 100 percent CPU saturation and possible crashes.

As Security Wire Digest went to press Friday night, only Check Point's
FireWall-1 had been publicly confirmed as vulnerable to the Jolt
attack. However, internal tests at security firm ICSA.net proved that
at least six other firewall brands were also vulnerable; the specific
firewall brands were not being announced to the public until the
affected vendors could develop workarounds or patches.

Lance Spitzer, a security researcher at Sun Microsystems, discovered
the Check Point vulnerability in late May when testing how FireWall-1
addresses IP fragmentation. According to Spitzer's research, which he
shared with Check Point prior to publishing, the attack capitalizes on
the fact that FireWall-1 doesn't usually inspect or log fragmented
packets until those packets are reassembled. Since the Jolt tool sends
only fragmented packets, FireWall-1 consumes all its CPU power
attempting to reassemble them, denying service to other requests and
services.

"We verified that this is an issue. This is an attack and several
applications are vulnerable to it, including Firewall-1," Greg Smith,
Check Point's director of product marketing, told Information Security
magazine. "Firewall-1 is vulnerable to it, but it is not Firewall-1
specific. It would affect other firewalls as well."

By mid-last week, Check Point had released a workaround to the attack
(see http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html ).
Smith says Check Point will release a permanent fix in the next
release of Firewall-1, which will be available at the end of June.

"It's not the OS code that's bogging down, or the firewalling code
that's bogging down. It's the reassembly prior to logging code that is
bogging down," commented Al Potter, manager of the network security
labs at ICSA.net. Potter's assessment is supported by Check Point's
workaround solution, which essentially turns off console logging in
order to free up CPU resources.

The larger concerns about Jolt are not about version 2 itself, but
about the potential for malicious hackers to improve on the existing
source code to create a more destructive tool. Jolt 2 is only 170
lines long, and is cobbled together from other attack scripts. In
fact, comments in the source code, written by "Phonix," confirm the
tool's patchwork origin:

"This is the proof-of-concept code for the Windows denial-of-serice
[sic] attack.... This code causes cpu utilization to go to 100%.
Tested against: Win98; NT4/SP5,6; Win2K.... This is standard code.
Ripped from lots of places.... It's a trivial exploit, so I won't take
credit for anything except putting this file together."

The code also reportedly contains several coding errors that, if
fixed, would result in a more dangerous tool. "Jolt 2 is not a
particularly robust hammer," says Potter. "A journeyman-level coder
could tune it up with considerably little effort."

"This is going to get worse before it gets better," Potter added.

Though there were no reports of attacks as of Friday evening,
licensees of all commercial firewall brands are encouraged to monitor
their firewall vendor's Web sites for additional news and updates.
Because configuration changes to the firewall itself will not stop
this attack, all Internet-facing routers can be temporarily configured
to drop fragmented packets.

Spitzer's paper:
http://www.enteract.com/~lspitz/fwtable.html

Check Point's workaround:
http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".