A friend and I 'Did a Thing'

[m1enkrafft_man 142]

<p>So, gonna put this here since it's the most relevant place to put it.

 

Last semester, a friend of mine and I were toying around with writing an Android application to test a Slow Loris attack on some University systems (as part of a network security audit - we had permission), and wanted to extend the attack to other services. Well, after a few weeks of research, we had written our own attack that could reliably take down any TCP-based service - and do so from a mobile device. We still have yet to find a service or protocol which is not affected.

 

Knowing we had something somewhat interesting on our hands, we decided we should talk to an expert. Ironically at this time, Chris Goggans was visiting our school performing a separate security audit (my University very much values security, if you haven't noticed already), and so I sat down to speak with him about it. He believed that the attack was incredibly severe - he said that it was 'evil' and began asking if I wanted to present it at a fairly well-known conference in Vegas.

 

Our professor caught wind of this, and not wanting to be responsible for any legal issues, wanted to run this through vendors first before releasing it. Through contacts at the University, we got in contact with Microsoft, who brought us in touch with "The Industry Consortium for Advancement of Security on the Internet"; otherwise known as ICASI, it's a group consisting of Microsoft, Oracle, Cisco, IBM, Intel, Amazon, and others. We had a very long email exchange with them, as well as two conference calls where representatives from every company were present, and attempted to mitigate the attack.

 

If you'd like to read the article they published about it, you can find it here.

 

For only the interesting bits:

 

"[Dr.] Plante’s innovative approach to teaching security helped two of his students discover a potentially unknown, pervasive TCP vulnerability impacting all TCP listening services running on industry hardware, like servers."

 

"Florez and Roe found that in fact, all TCP listening services as well as TLS secure connections were vulnerable to what amounted to a new and highly efficient denial of service (DoS) attack."

 

"The eventual solution ICASI recommended implementing based on the information and research provided by Stetson University and their own testing was to mitigate the solution by using a large load-balancing front-end. This would spread out the possible denial of service attack against servers rendering the attack almost negligible."

 

I'd assume it's probably against the rules to focus on how the attack works, but the overall experience itself was very interesting in terms of research, discovery, and triage/mitigation, so if anyone has any questions on what that was like I'd love to talk about it.

 

Also, yes, I was awarded a bounty - free MS Enterprise software and $150 a month of Azure credit for life.

 

./discuss

Edited August 31, 2016 by m1enkrafft_man

[Sirenfal 4034]

If it's actually as bad as you're describing what a laughable bounty. Neat anyway

[asmcint 279]

If it's actually as bad as you're describing what a laughable bounty. Neat anyway

 

Thinking the same thing personally. You'd expect a decent cash bounty for that tbh.

[m1enkrafft_man 142]

If it's actually as bad as you're describing what a laughable bounty. Neat anyway

 

Eh, I'm not too hurt by the whole thing, for a few reasons. One, we used University resources for the research, so any monetary gains would go to the school. Two, there's still a very strong chance I'll be presenting at DEFCON next year (I couldn't do so because of contractual stuff with Apple this year, and as such I've delayed my hire-on date to be after DEFCON next year to give me that chance).

 

So I'm happy with what I've got. Plus it's good exposure and a bit of good publicity, which never hurts.

 

EDIT: Also, nobody could figure out a way to 'patch' the attack; they recommend throwing more resources at it, but then you could just use more resources yourself. Not all companies have the resources necessary, so they're sorta SOL at that point. That was a large factor into the bounty as well - we couldn't figure out a solid fix.

Edited August 31, 2016 by m1enkrafft_man

[Keit1h 8]

Reminds me of a slowloris thing that me and a few friends made, it did the exact same thing. Any TCP based service you could hit off using only your PC. I wonder if yours is any similar to the way we did ours, which was written in C++. I don't think I have the source/program anymore, but if I can find it on my old laptop or something I'll definitely touch on that as well. After awhile we slowly figured out how pointless and stupid DDoSing shit for no good reason was, so it was put to rest.

 

Also you probably found something that other "hackers" have found before, or some method that has mostly remained private for some reason. Those slowloris variants are really not that difficult to come up with or create.

 

Now touching on your bounty, damn they ripped you off. Selling it to script kiddies even would give you a better buck. Some kids will pay ANYTHING for a "super powerful DDoSer takes anything down in under a minute1!!!1!"

Edited August 31, 2016 by Keit1h

[m1enkrafft_man 142]

Also you probably found something that other "hackers" have found before, or some method that has mostly remained private for some reason. Those slowloris variants are really not that difficult to come up with or create.

 

Even then, resource starvation existed well before the Slow Loris attack. That's all we've done, but figured out a way to get it to work on anything you hand it. Even things like game servers (that are TCP -based) and the like.

 

As for someone else having done it, I wouldn't doubt it. However, even Chris with all his connections couldn't dig anything up, so if someone has been using a similar attack then 'Oh well'.

[Sirenfal 4034]

Even then, resource starvation existed well before the Slow Loris attack. That's all we've done, but figured out a way to get it to work on anything you hand it. Even things like game servers (that are TCP -based) and the like.

 

As for someone else having done it, I wouldn't doubt it. However, even Chris with all his connections couldn't dig anything up, so if someone has been using a similar attack then 'Oh well'.

 

I can tell you someone I know has abused TCP attacks like this, though the scope isn't quite as wide as what you're describing. I think it's an unusual class of research because most criminals aren't smart enough to work on something like this (or have no reason to; the smart people tend to be the people after money, not goofing off), and security researchers rarely have the opportunity to test real world attack scenarios with DDoS. Owning a test box is one thing, fucking up a network and potentially other networks between you and the target is another.

 

As far as I can tell TCP is fundamentally flawed, and the only long term solution is to replace it with a new protocol eventually if these kinds of attacks become commonplace. There are also some worse exploits that abuse how networks interact with each other, but I'm going to be vague about that because those are even worse.

[m1enkrafft_man 142]

As far as I can tell TCP is fundamentally flawed, and the only long term solution is to replace it with a new protocol eventually if these kinds of attacks become commonplace. There are also some worse exploits that abuse how networks interact with each other, but I'm going to be vague about that because those are even worse.

 

That was the ultimate conclusion we drew as well. However, Cisco and co are a little hesitant to have to say that, especially because of the Internet's technology adoption rate (eg: IPv6).

 

As for the worse exploits - I believe Arbor put out a pretty good paper recently about some stuff similar to what I think you may be referring to and how they were utilized against the Rio Olympics.