|
Sockstress is a method that is used to attack servers on the Internet and other networks utilizing TCP, including Windows, Mac, Linux, BSD and any router or other internet appliance that accepts TCP connections.〔(Security Now! podcast explaining Sockstress )〕 The method does this by attempting to use up local resources in order to crash a service or the entire machine, essentially a denial of service attack. Sockstress was developed as internal proof-of-concept by the late Jack C. Louis at Outpost24. Louis discovered anomalies using Unicornscan to test and probe networks for corporate security, which led to the development of Sockstress.〔(Interview with Robert E. Lee and Jack C. Louis (First 8 minutes after English begins) )〕 The concept was first (demonstrated ) in September 2008.〔(Carl Nordenfelt's blog post )〕〔(Amelia Nilsson's blog post )〕〔(Mikael (FireLynx) blog post )〕 The researchers had planned on releasing more details at the (T2 conference ) in Finland where they (demonstrated ) the attacks. They instead chose to continue to work closely with, and give more time to, the vendor and standards communities. In a blog entry they said "We are not putting them (vendors ) under undue pressure to get poorly implemented rushed fixes out." ==About Sockstress== Sockstress is a user-land TCP socket stress framework that can complete arbitrary numbers of open sockets without incurring the typical overhead of tracking state. Once the socket is established, it is capable of sending TCP attacks that target specific types of kernel and system resources such as Counters, Timers, and Memory Pools. Obviously, some of the attacks described here are considered "well known". However, the full effects of these attacks is less known. Further, there are more attacks yet to be discovered/documented. As researchers document ways of depleting specific resources, attack modules could be added into the sockstress framework. The sockstress attack tool consists of two main parts: 1) Fantaip: Fantaip〔(Fantaip comes with Unicornscan )〕 is a "Phantom IP" program that performs ARP for IP addresses. To use fantaip, type 'fantaip -i interface CIDR', Ex., 'fantaip -i eth0 192.168.0.128/25'. This ARP/Layer 2 function could optionally be provided by other means depending on the requirements of the local network topology. Since sockstress completes TCP sockets in user-land, it is not advisable to use sockstress with an IP address configured for use by the kernel, as the kernel would then RST the sockets. This is not strictly required as the use of a firewall to drop incoming packets with rst flag can be used to achieve the same goal and prevent the kernel from interfering with the attack vector. 2) Sockstress: In its most basic use, sockstress simply opens TCP sockets and sends a specified TCP stress test. It can optionally send an application specific TCP payload (i.e. 'GET / HTTP/1.0' request). By default, post attack it ignores subsequent communications on the established socket. It can optionally ACK probes for active sockets. The attacks take advantage of the exposed resources the target makes available post handshake. The client side cookies, heavily discussed in blogs, news and discussion lists, is an implementation detail of sockstress, and not strictly necessary for carrying out these attacks. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Sockstress」の詳細全文を読む スポンサード リンク
|