Some people may have only read the news stories out there instead of hearing what we actually had to say. I apologize; the podcast was pretty long.
Thanks to Jason Ross for providing a transcript of these soundbites.
In order to remind people of what we actually said I have prepared soundbites to answer the following questions:
1) What are these DoS issues really about?
soundbite-1
"the idea is that tcp, basically, assumes once you go through the 3 way handshake, you're a pretty decent individual; you're not spoofing, so, we can start using a whole bunch of resources once we get through that 3 way handshake. but the actual issue is, once you perform the 3 way handshake doesn't guarantee at all that the other guy is not attacking you. and so there's a lot of resources that are exposed just by having a tcp service listening that an attacker can very easily just take offline"
2) Why are we talking about this publicly at all?
soundbite-2
"well this discovery was initially made in 2005. and, back then, we had reservations about coming public with it because there was also no information available on how to solve it. So the hope is now that we are coming forward and pointing out that there is an issue that we can raise the awareness and get more people that are smarter than we are involved in looking at a solution. Just because we can't think of a solution doesn't mean there isn't one, it just means that we haven't thought of it yet.
If someone doesn't stand up and wave their hand and go 'we have an issue here guys, these things that we've been putting online are pretty easy to knock over'; just cause we never talk about that publicly, it certainly won't get any better. and when we adopt things like ipv6, the problem is three times worse, at least. and there's so many new features going in and it just doesn't seem like people are thinking about what are the impacts of adding all this new neat functionality? attacks are becoming worse and worse. and so, if we don't say anything, if we don't like raise our hand and try and tell vendors that they have an issue, you know in five years when we're using more complicated stacks that have more code in them and someone figures this out, then we're going to be really screwed. so i mean time, the solution of course is to not, just you know, wipe it under the rug and just pretend that there's no problem. i mean, it certainly will only get worse from this point forward unless people start thinking about this kind of stuff"
3) Are we worried about others rediscovering these issues?
soundbite-3
"well, the thing is we also are taking a risk that some really smart guy is gonna tell us there's some really smart work around for this that we didn't know. i mean of course it can go...there could be bad or good things that are come from it. but i think that... the only possible outcome i think that by trying to talk to people and point out that there's problems with certain things, especially when we're not giving out the details and we're not telling them "hey do this and that system will fall over"... we're not doing that. i think the best thing that'll happen is that people are just gonna kinda start to poke around and think and go "ok, maybe there's actually some ways to fix this" and it's foolish to think that just because we maybe don't tell someone about how these attacks work..someone else will eventually find out anyway that these attacks do work. we don't have to tell them, it is a matter of time before someone else finds out.
We certainly don't have a monopoly on intelligence or bug finding abilities so.. it's not one of those things, i mean, eventually someone would have found the problem in DNS too. it's just a matter of time. like maybe someone found it 3 years ago, we don't really know. but a coordinated responsible disclosure and trying to bring awareness that there are security implications that involve tcp, i think are only gonna be beneficial for everyone on the internet. I certainly don't want the internet to fall over and I certainly want people to take tcp and availability more seriously than they do now. I think what we're doing is the best thing that we can do."
4) What would we like to see from the security community?
soundbite-4
"I'd like to get some really smart people to think about what sorts of things are available in tcp and how we can potentially safeguard our kernels a little bit better against people who are malicious."
5) Is it time to panic? Is everything so broken there is no hope?
soundbite-5
"well, you know, it's funny, we talk about this internally all the time. there's a lot of researchers out there that'll go find a major bug and pull a chicken little routine about how 'oh we can break the internet in 30 seconds' and you know, 'it's doomsday all over again'. and although we do definitely take this seriously and we do think that this is a very highly severe availability issue, we think that the community is smart enough and proven robust enough to be able to handle these sorts of things before it becomes too bad of an issue. So no, i think every time that we thought a system is so bad that we have to just scrap it and throw the baby out with the bathwater i am often surprised at how simple and elegant a solution that we didn't think about can be. So i'm hoping that's what happens in this case as well."
6) How do you think this will play out?
soundbite-6
"We still use smtp to send email. and the majority of email is spam. but do we throw away smtp because it was a broken design? I mean, the community as a whole i think likes to find work arounds more than anything else. I mean, if it was a perfect world, we probably should reconsider how we do TCP. and we should probably that people are the internet and want us to do the best. It's a hostile environment. It's actually more of a hostile environment than a lot of the people who were designing these protocols thought. So ideally we probably should design something new. but chances are pretty slim that that'll ever happen . I think someone will just come around with some mitigations that really limit the depth of this problem to something that everyone's willing to accept. I think that's probably what will happen."
Sunday, October 5, 2008
Subscribe to:
Post Comments (Atom)
5 comments:
Great! Now let me know when you release a transcript of these MP3s so that I can READ them.
Thanks for the patience of cutting those fragments.
I have one or two questions.
The issue reported by Fyodor is NOT one of your attacks. I'm correct?
So, we are not talking just about using client-side SYN cookies to win the resource war. Or if this is what we are talking about, there are better ways to do it (compared with the one reported by Fyodor)?
Thanks in advance,
Bogdan
@anonymous
If anyone finds a full transcript I'll link to it. I apologize, I don't have the time to transcribe it myself.
@blade3
When we were putting together the slide deck for the Sec-T show we realized that simply having a demo without any background information would be rather short and boring.
We spent some time putting together a lot of information that we thought would be useful to someone new to TCP DoS in general. The content of those slides, and much of the podcast talking about client side syn cookies is not related to the vulnerabilities Louis has discovered.
Furthermore, as we said in the podcast, we know others have been using a similar technique for user-land stacks since at least 1999. We were not claiming that element to be new or alarming.
I've completed a full transcript of the interview. It can be found here: http://www.curbrisk.com/security-blog/outpost24-tcp-denial-of-service-vulnerability-interview-transcript.html
Post a Comment