WHAT IS SOCKSTRESS?
A generic issue that affects the availability of TCP services. This issue could be used to create a Denial of Service attack. So far it is reported that this affects all systems running any service utilizing TCP, including Windows, Mac, Linux, and BSD.
Sockstress: false modesty?
It's a credible DoS tool capable of brining down TCP/IP stacks in seconds.
Sockstress, Internet (TCP/IP) under attack?
Denial of Service attacks aren’t new, yet persist in being effective methods of denying access to resources on the Internet. Now meet Sockstress, the newest version of DoS attacks, and heralded as potentially the most devastating of the bunch.
Full details will be released soon. June is the new target month.Details of the sockstress tool
The basic idea is to first firewall your source address(es) using a command such as iptables (on Linux) to prevent your own OS from interfering with your attack. Next you create hundreds or thousands of connections to the TCP port you are targeting (such as port 80 of a web server) as follows:
1. Attacker sends a TCP SYN packet to the target port from his own IP address (or one he controls) to request a connection. 2. The target port is open, so it will respond with a SYN/ACK packet–the 2nd step of the TCP 3-way handshake. Remember that Attacker sent the SYN as a raw packet from userland rather than using his operating system’s connect() API to establish the connections. So when Attacker’s operating system’s TCP stack sees the unexpected SYN/ACK come back, it would normally destroy the nascent connection by sending a reset (RST) packet. This is why the special firewall rule was mentioned–to prevent such interference by Attacker’s OS. Instead Attacker’s DoS client handles all these packets by sniffing them from userland (generally using libpcap) and building/sending the raw reply packets. 3. Using the initial sequence number and other information from the SYN/ACK, Attacker sends an acknowledgment packet (the final step of the 3-way handshake) to complete the connection.
More information is presented in the flash, audio, pdf, pdf files and Powerpoint slides.
Download
Download the current release of unicornscan v0.4.7-2
here
-
SOCKSTRESS IN THE NEWS
- Update: CERT-FI Statement on the Outpost24 TCP Issues
- Cisco security updates squash router bugs, sockstress vulnerability fixed??
- Researcher's death casts pall over major TCP fix
- Researcher's Death Hampers TCP Flaw Fix
- Jack C. Louis Memorial, condolences!
- TCP is fundamentally borked
- Cisco Security Center Alert
- Robert E. Lee Discusses TCP Denial of Service Vulnerability with SC Magazine
- TCP Vulnerability Found
- Sockstress: A New and Effective DoS Attack
- Core TCP Flaw Discovered - Sockstress
- DoS attack reveals (yet another) crack in net’s core
- Researchers disclose deadly cross-platform TCP/IP flaws
- CERT-FI Statement on the Outpost24 TCP Issues
- Sockstress is able to cause internet meltdown
- TCP flaws puts Web sites at risk
- Explaining the New TCP Resource Exhaustion Denial of Service (DoS) Attack
- Sock stress Wiki
- A new DoS attack
- CERT Alert
- Sockstress: An Internet Vulnerability That May Create the Date the Net Stood Still?
- Jack C. Louis and Robert E. Lee to talk about New DoS Attack Vectors
- Outpost24 TCP Denial of Service Vulnerability Interview Transcript
- TCP Resource Exhaustion and Botched Disclosure