Undead Attack

To view the full lecture on video, click "Here".

• What The News
• General information
  • When & Where
  • Tickets
  • Travel
  • FAQ
  • Thanks to ...
  • Contact
  • Forum (old site)
• Camping
  • Map of WTH
  • Weather
  • Hotels
  • Facilities
  • Campsite locations
• Participate
  • Volunteers
  • Villages
  • Projects
• Conference program
  • Schedule Day 1
  • Schedule Day 2
  • Schedule Day 3
  • Schedule Day 4
  • Events
  • Speakers
  • iCal
• Other
  • Photos
  • Press Reviews

Abstract

This talk is about a bug that appeared during a few experimentations with the TCP/IP stack after which we found out that it was not, at least it is not of our knowledge, found anywhere else before. That was actually a Solaris bug that resembles this one.

After an established connection, a specially crafted packet with the ACK/FIN flags set, a corrected Sequency Number but with an incorrected Acknowledge Number will trigger a massive flush of packages with zero size and only the ACK flag set. Ethereal logs showed that the keep alive state was occuring and this flow kept going for approximately 3 minutes and a few million packets. It was clearly observed that CPU and network performance was severed decreased due to this misbehave.

Potential attacks includes DoS and DDoS. Applications and services that depends on quality of services (QoS) such as H323 applications (VoIP) and video streamming will suffer dramatic performance downgrade.

We recently got referenced in Security Focus, check it out:

Security Focus: www.securityfocus.com/bid/13215

Links

• Security Focus: Multiple Vendor TCP Session Acknowledgement Number Denial Of Service Vulnerability

Speakers

• Diego Casati
• Leandro Spinola

Schedule

Informations