TCP Sockstress Brings Forth New OS Exploit Worries

By Paul Rubens (Send Email)
Posted Oct 15, 2008

Paul Rubens
Operating system makers may be forced to do some serious modifications to their TCP/IP stacks, thanks to the TCP sockstress vulnerability which has been hitting the news over the last few weeks. OS Roundup: Sockstress is neither stress from mismatched socks nor the mistress of socks. It is even more fearsome: a potentially serious issue in many OSes that affects TCP services. Some OSes are handling it better than others. How do yours fare? Plus, another go-round with the Linux desktop.

TCP sockstress is a potentially serious generic issue in many operating systems that affects the availability of TCP services. Jack C. Louis, a security researcher at a Outpost 24, a network security company based in Karlskrona, Sweden discovered it. The company's CSO, Robert E. Lee, is the author of Unicornscan, a formidably fast scanner much loved by penetration testers which, unlike Nmap, has its own TCP/IP stack and which is capable of scanning an internal class B network (that's 65,000 + hosts) in less than three minutes.

A DoS attack exploiting the sockstress vulnerability uses half-open connections to deplete resources in the machines under attack. It very quickly causes specific services to become unavailable and may even require complete machine reboots.

Enterprise Unix Roundup

What's worrying is that Louis claims the attack is effective against almost anything on a network (Windows, BSD, Linux, embedded systems TCP/IP stack implementations ... you name it), and the attack can be successful when packets are sent to a targeted machine at the rate of just one packet per second. Presumably, a bot would have to carry out such an attack (so the feds don't turn up at the attacker's door), but there would certainly be no need for a vast botnet or a high bandwidth connection to the Internet. By the sound of it, you could bring down a Web site with a single machine connected and an old AOL dial-up connection.

The full details of the attack are not yet available, and Outpost 24 has contacted the major vendors concerned to give them an opportunity to fix things in their TCP/IP stacks — if indeed that is the best way forward. Lee says in his blog that it's not yet clear what the best way to deal with this issue really is, although he is hopeful one will be found. "Just because we can't think of a solution doesn't mean there isn't one, it just means that we haven't thought of it yet," he says rather ominously.

Given that the attack affects many different OSes, it will be interesting to see how quickly any solution — if one is found  is reflected by changes in those OSes' TCP/IP stacks.

If the vulnerability affects OS X, I'd be worried — if I were an Apple fan-boy. In a similar situation this summer when OS makers where scrambling to address a DNS flaw, Microsoft, Cisco and others released fixes promptly; Apple, inexplicably, dithered and did nothing. Even though BIND was patched by July 8, OS X (which relies on BIND for its DNS component) wasn't patched until the beginning of August.

This adds to the debate about what the best way to release OS patches really is. Microsoft sticks to its well known "patch Tuesday" schedule — the second Tuesday of every month — while Apple's failure to stick to any schedule has led some people to question whether the company is serious about getting Macs in the enterprise.

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary

"You get an update from Apple, and it's always a surprise," Andrew Storms, director of security operations at vendor nCircle Network Security, said in an interview: "The first thing you do is sit down with your team, look at the update, set priorities and assign resources. And then the next day, another update arrives, and you have to do it all over again."

To be fair to Apple though, rolling up patches into a monthly release is the exception rather than the norm among OS makers, and it also runs the risk that hackers will time the launch of new exploits until the day after a patch day to try to maximize their exploitation window.

Still, having a "patch Tuesday" policy does show that Microsoft has thought about the practical, as well as the technical, aspect of patching. And, in fact, it is continuing to do so: The patches Microsoft releases today are due to be the first to include an "Exploitability Index," which estimates how likely it is that each of the vulnerabilities the patches address will actually be attacked. This is designed to help administrators prioritize their patching. Vulnerabilities will be ranked as:

  • Consistent Exploit Code Likely
  • Inconsistent Exploit Code Likely
  • Functioning Exploit Code Unlikely

where the first is the most dangerous. It will be interesting to see if this really does make things easier for administrators or whether this new system, together with its existing threat level assessment, just leads to confusion.

The Linux Desktop, Redux

Changing the subject, I wrote about enterprise desktop OSes a few weeks ago and made the point that Linux desktops don't look as polished as those running XP or Vista, and they aren't as intuitive to use. A number of people disagreed with this, saying that the KDE and Gnome desktop environments look far more sophisticated. While I agree these Linux desktops are far more flexible and almost infinitely customizable, Ubuntu's Mark Shuttleworth is spot on when he says that "designers, user experience champions and interaction design visionaries" are needed to get Linux desktops looking a little less amateurish.

I think, however, a whole bus-load of black turtlenecked types will be necessary if Linux is ever going to make users swoon. Windows may not be George Clooney, but many Linux distributions are as ugly as a fairytale frog.

Even if Linux does get a kiss from a prince and turns into a beautiful princess, the problem will remain that it simply isn't Windows. This is borne out by the experience of MSI, which has found that four times as many of its Wind netbooks running SUSE Linux are returned compared to Windows netbooks. Andy Tung, MSI's US sales director, explained in an interview:

Our internal research has shown that the return of netbooks is higher than regular notebooks, but the main cause of that is Linux. People would love to pay $299 or $399 but they don't know what they get until they open the box. They start playing around with Linux and start realizing that it's not what they are used to. They don't want to spend time to learn it so they bring it back to the store.

That must be very depressing news for Apple and all the desktop Linux makers. "You can lead a horse to Linux, but you can't make it think." If that's not a saying, it should be.

Paul Rubens is an IT consultant and journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.

Page 1 of 1

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.