Brenno de Winter interviewed Jack C. Louis and me about sockstress and the TCP vulnerabilities Louis discovered. We will be talking about these vulnerabilities at the upcoming T2 conference in Helsinki.
To hear the podcast, click here. The opening part is in Dutch, but our interview starts around 5 minutes in.
There is also an article written in dutch available here.
Our T2 talk is at 15:00 on Friday the 17th.
We expect the talk to be pretty enjoyable. Hope to see you there! :)
Tuesday, September 30, 2008
Monday, September 22, 2008
IPTABLES connection limiting question..
This is in response to the comment thread from here:
Couldn't use --hashlimit-burst 0... had to make it --hashlimit-burst 1.
While the "near" matching patch might help against this singular attack implementation, a slight modification on the attackers side would nullify the benefit.
Looking at the output of 'iptables -L -v', I do see the DROP rule growing, so it is "slowing down" the attack slightly... but no perceived protection from the attackers perspective. The resource still becomes unavailable to normal clients.
=-=-=-=-=-=-=-=-=-=-=-=
Initially about 17% of the attackers connection attempts were blocked, without actually protecting the victim. I then set up the same attack scenario but came from more IP addresses (/25 instead of /28). Only 3% of the attackers connection attempts were blocked.
As the attacker uses more SRC IP's, or the number of connection attempts per second is reduced, you'll see the drops approach 0.
Couldn't use --hashlimit-burst 0... had to make it --hashlimit-burst 1.
While the "near" matching patch might help against this singular attack implementation, a slight modification on the attackers side would nullify the benefit.
Looking at the output of 'iptables -L -v', I do see the DROP rule growing, so it is "slowing down" the attack slightly... but no perceived protection from the attackers perspective. The resource still becomes unavailable to normal clients.
=-=-=-=-=-=-=-=-=-=-=-=
Initially about 17% of the attackers connection attempts were blocked, without actually protecting the victim. I then set up the same attack scenario but came from more IP addresses (/25 instead of /28). Only 3% of the attackers connection attempts were blocked.
As the attacker uses more SRC IP's, or the number of connection attempts per second is reduced, you'll see the drops approach 0.
Compliant, yet Insecure...
Bill Sieglein just wrote a short article about the balancing act between being compliant and being secure.
Since security is often considered a cost center instead of a business enabler, and with the increased number of regulations to comply with, many executives have adopted a checklist attitude towards security.
This unfortunately can lead to organizations being compliant to individual standards (PCI, SOX, HIPAA, etc), yet still be insecure overall.
Bill's suggestions for how to counter this problem read well.
Since security is often considered a cost center instead of a business enabler, and with the increased number of regulations to comply with, many executives have adopted a checklist attitude towards security.
This unfortunately can lead to organizations being compliant to individual standards (PCI, SOX, HIPAA, etc), yet still be insecure overall.
Bill's suggestions for how to counter this problem read well.
Thursday, September 18, 2008
Outpost24 Services reviewed in Tietokone Magazine
Outpost24 services just got reviewed by Tietokone Magazine in Finland.
I can't read this article, but according to our Finnish country manager, it was very positive.
Some highlights of the review:
"OUTPOST24 OUTSCAN: Service detects website security breaches" (The title)
"The idea of the service is very attractive."
"The idea of Outscan is an automated process which would save you time and money."
"This excellent idea has also been implemented well."
"The results are delivered as a detailed but clear report."
"When we scanned a large website with Outscan we found some new security breaches, although the site had been audited just recently."
"The price starts from less than a couple of thousand euros per year. For larger websites the price is reasonable compared to the benefit and the saved working time."
At the end of the story they tell that we also deliver HIAB which "runs the same tests internally within the network and reports the security breaches of any desired device."
As a result they give OutScan 4 stars on the scale of 5 (they very seldom give the maximum).
Tietokone Magazine (www.tietokone.fi) is the number one ICT specialist magazine in Finland announcing to have some 43 000 subscribers (print) resulting at the estimated amount of over 140 000 readers and some 100 000 weekly visitors online.
I can't read this article, but according to our Finnish country manager, it was very positive.
Some highlights of the review:
"OUTPOST24 OUTSCAN: Service detects website security breaches" (The title)
"The idea of the service is very attractive."
"The idea of Outscan is an automated process which would save you time and money."
"This excellent idea has also been implemented well."
"The results are delivered as a detailed but clear report."
"When we scanned a large website with Outscan we found some new security breaches, although the site had been audited just recently."
"The price starts from less than a couple of thousand euros per year. For larger websites the price is reasonable compared to the benefit and the saved working time."
At the end of the story they tell that we also deliver HIAB which "runs the same tests internally within the network and reports the security breaches of any desired device."
As a result they give OutScan 4 stars on the scale of 5 (they very seldom give the maximum).
Tietokone Magazine (www.tietokone.fi) is the number one ICT specialist magazine in Finland announcing to have some 43 000 subscribers (print) resulting at the estimated amount of over 140 000 readers and some 100 000 weekly visitors online.
Friday, September 12, 2008
Sec-T Sockstress Recap...
The 1st talk on Jack C. Louis's research into TCP Sockets has been delivered. We received some very positive feedback from the people who attended the talk. It has even been blogged (one, two, three) about.
While out at the SEC-T pub (londoner), someone asked what impact the attacks would have against a system that was completely firewalled. If there are no TCP services available for connections then the attack would not have an effect.
The point we were trying to make about stateful firewalls/IPS is they now have to keep track of state for all of the normal traffic plus:
Attacker_IPs*65k*Destination_IPs*Destination_Services
This number can very quickly grow beyond what the inline stateful devices can manage.
That said, establishing connections is not the attack. It is what enables the attacks.
In 33 days we will be speaking about Sockstress again at the T2 conference in Helsinki.
Monday, September 8, 2008
Computer Hacker Club
Thinkin did a great job starting a new Computer Hacker Club. The club plans to meet on the 1st Friday of every month. This month was the first meeting.
There were talks from pewp, jack, and jrl.
Pewp's talk was retro and showed off an old figerd vulnerability. We also went through a local root vulnerability on ubuntu.
jack and jrl talked about how TCP works, historic TCP vulnerabilities, client-side Syn Cookies, and possible future TCP DoS vulnerabilities.
In attendance was thinkin, guerrilla, akita, psc, CC, jrl, jack, and pewp.
We had a nice projector screen, but no whiteboard at this talk. Thankfully jack had a chance to grab some paper on the way over.
Here is an action shot of jack explaining TCP sliding windows with guerrila helping to hold the paper:
The Computer Hacker Club meets on the 1st Friday of the month in Karlskrona at:
Café Porslinan
19:00 - Late
If you're in the area, please feel free to stop by and join in.
There were talks from pewp, jack, and jrl.
Pewp's talk was retro and showed off an old figerd vulnerability. We also went through a local root vulnerability on ubuntu.
jack and jrl talked about how TCP works, historic TCP vulnerabilities, client-side Syn Cookies, and possible future TCP DoS vulnerabilities.
In attendance was thinkin, guerrilla, akita, psc, CC, jrl, jack, and pewp.
We had a nice projector screen, but no whiteboard at this talk. Thankfully jack had a chance to grab some paper on the way over.
Here is an action shot of jack explaining TCP sliding windows with guerrila helping to hold the paper:
The Computer Hacker Club meets on the 1st Friday of the month in Karlskrona at:
Café Porslinan
19:00 - Late
If you're in the area, please feel free to stop by and join in.
Subscribe to:
Posts (Atom)
