Embed Size (px)
DESCRIPTION
Talk that I delivered during the What the Hack! conference.
Citation preview
Diego Protta Casati Leandro Spínola Rodrigues
Quem somos nós?
Como surgiu?
● Criar um Hackathon em Santa Rita do Sapucaí/MG● 1° Hackathon: 07/03/2004● Análise de pacotes TCP, utilizando OpenBSD, FreeBSD e Windows XP, na tentativa de encerrar uma conexão de Telnet
Uma breve explicação da falha
● Condição anormal na pilha do TCP/IP ● Estado não previsto na implementação da pilha
O que descobrimos?
Qual o problema disso?● Aumento do consumo de CPU ● Queda de performance da rede
Quem esta vulnerável???
Sistemas AfetadosMicrosoft Windows XP Professional SP2Microsoft Windows XP Professional SP1Microsoft Windows XP Professional Microsoft Windows XP Home SP2Microsoft Windows XP Home SP1Microsoft Windows XP Home Microsoft Windows Server 2003 Web Edition SP1Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows Server 2003 Standard Edition SP1Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1Microsoft Windows Server 2003 Enterprise Edition 64-bit Microsoft Windows Server 2003 Enterprise Edition SP1Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1Microsoft Windows Server 2003 Datacenter Edition 64-bit Microsoft Windows Server 2003 Datacenter Edition SP1Microsoft Windows Server 2003 Datacenter EditionMicrosoft Windows NT Server 4.0 SP6aMicrosoft Windows NT Server 4.0 SP6Microsoft Windows NT Server 4.0 SP5Microsoft Windows NT Server 4.0 SP4Microsoft Windows NT Server 4.0 SP3Microsoft Windows NT Server 4.0 SP2Microsoft Windows NT Server 4.0 SP1Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6aMicrosoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5Microsoft Windows NT Enterprise Server 4.0 SP4Microsoft Windows NT Enterprise Server 4.0 SP3Microsoft Windows NT Enterprise Server 4.0 SP2Microsoft Windows NT Enterprise Server 4.0 SP1Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows 98SE Microsoft Windows 2000 Server SP4Microsoft Windows 2000 Server SP3Microsoft Windows 2000 Server SP2Microsoft Windows 2000 Server SP1Microsoft Windows 2000 Server + Avaya DefinityOne Media Servers + Avaya IP600 Media Servers + Avaya S3400 Message Application Server + Avaya S8100 Media Servers Microsoft Windows 2000 Professional SP4Microsoft Windows 2000 Professional SP3Microsoft Windows 2000 Professional SP2Microsoft Windows 2000 Professional SP1Microsoft Windows 2000 Professional Microsoft Windows NT Workstation 4.0 SP6aMicrosoft Windows NT Workstation 4.0 SP6Microsoft Windows NT Workstation 4.0 SP5Microsoft Windows NT Workstation 4.0 SP4Microsoft Windows NT Workstation 4.0 SP3Microsoft Windows NT Workstation 4.0 SP2Microsoft Windows NT Workstation 4.0 SP1Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6aMicrosoft Windows NT Terminal Server 4.0 SP6Microsoft Windows NT Terminal Server 4.0 SP5Microsoft Windows NT Terminal Server 4.0 SP4Microsoft Windows NT Terminal Server 4.0 SP3Microsoft Windows NT Terminal Server 4.0 SP2Microsoft Windows NT Terminal Server 4.0 SP1Microsoft Windows NT Terminal Server 4.0Microsoft Windows 2000 Datacenter Server SP4Microsoft Windows 2000 Datacenter Server SP3Microsoft Windows 2000 Datacenter Server SP2Microsoft Windows 2000 Datacenter Server SP1Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP4Microsoft Windows 2000 Advanced Server SP3Microsoft Windows 2000 Advanced Server SP2Microsoft Windows 2000 Advanced Server SP1Microsoft Windows 2000 Advanced Server Linux kernel 2.6.11 .6Linux kernel 2.6.11 .5Linux kernel 2.6.11 -rc4Linux kernel 2.6.11 -rc3Linux kernel 2.6.11 -rc2Linux kernel 2.6.11 Linux kernel 2.6.10 rc2Linux kernel 2.6.10 + RedHat Fedora Core2+ RedHat Fedora Core3+ Ubuntu Ubuntu Linux 5.0 4 amd64+ Ubuntu Ubuntu Linux 5.0 4 i386+ Ubuntu Ubuntu Linux 5.0 4 powerpc
Linux kernel 2.6.9 Linux kernel 2.6.8 rc3Linux kernel 2.6.8 rc2Linux kernel 2.6.8 rc1+ Ubuntu Ubuntu Linux 4.1 ia32+ Ubuntu Ubuntu Linux 4.1 ia64+ Ubuntu Ubuntu Linux 4.1 ppcLinux kernel 2.6.8 Linux kernel 2.6.7 rc1Linux kernel 2.6.7 Linux kernel 2.6.6 rc1Linux kernel 2.6.6 Linux kernel 2.6.5 Linux kernel 2.6.4 Linux kernel 2.6.3 Linux kernel 2.6.2 Linux kernel 2.6.1 -rc2Linux kernel 2.6.1 -rc1Linux kernel 2.6.1 Linux kernel 2.6 .10Linux kernel 2.6 -test9-CVSLinux kernel 2.6 -test9Linux kernel 2.6 -test8Linux kernel 2.6 -test7Linux kernel 2.6 -test6Linux kernel 2.6 -test5Linux kernel 2.6 -test4Linux kernel 2.6 -test3Linux kernel 2.6 -test2Linux kernel 2.6 -test11Linux kernel 2.6 -test10Linux kernel 2.6 -test1
Linux kernel 2.6 Linux kernel 2.4.30 rc3Linux kernel 2.4.30 rc2Linux kernel 2.4.30 Linux kernel 2.4.29 -rc2Linux kernel 2.4.29 -rc1Linux kernel 2.4.29 Linux kernel 2.4.28 Linux kernel 2.4.27 -pre5Linux kernel 2.4.27 -pre4Linux kernel 2.4.27 -pre3Linux kernel 2.4.27 -pre2Linux kernel 2.4.27 -pre1Linux kernel 2.4.27 Linux kernel 2.4.26 Linux kernel 2.4.25 Linux kernel 2.4.24 -ow1Linux kernel 2.4.24 Linux kernel 2.4.23 -pre9Linux kernel 2.4.23 -ow2Linux kernel 2.4.23Linux kernel 2.4.22 + Devil-Linux Devil-Linux 1.0.4 + Devil-Linux Devil-Linux 1.0.5 + MandrakeSoft Linux Mandrake 9.2 + MandrakeSoft Linux Mandrake 9.2 amd64+ RedHat Fedora Core1+ Slackware Linux 9.1
Linux kernel 2.4.21 pre7Linux kernel 2.4.21 pre4+ MandrakeSoft Linux Mandrake 9.1 + MandrakeSoft Linux Mandrake 9.1 ppcLinux kernel 2.4.21 pre1Linux kernel 2.4.21 + Conectiva Linux 9.0 + MandrakeSoft Linux Mandrake 9.1 + MandrakeSoft Linux Mandrake 9.1 ppc+ RedHat Desktop 3.0 + RedHat Enterprise Linux AS 3+ RedHat Enterprise Linux ES 3+ RedHat Enterprise Linux WS 3+ S.u.S.E. Linux Enterprise Server 8+ S.u.S.E. Linux Personal 9.0 + S.u.S.E. Linux Personal 9.0 x86_64Linux kernel 2.4.20 + CRUX CRUX Linux 1.0 + Gentoo Linux 1.2 + Gentoo Linux 1.4 + RedHat Linux 9.0 i386+ Slackware Linux 9.0 + WOLK WOLK 4.4 sLinux kernel 2.4.19 -pre6Linux kernel 2.4.19 -pre5Linux kernel 2.4.19 -pre4Linux kernel 2.4.19 -pre3Linux kernel 2.4.19 -pre2Linux kernel 2.4.19 -pre1
Linux kernel 2.4.19 Linux kernel 2.4.18 pre-8Linux kernel 2.4.18 pre-7Linux kernel 2.4.18 pre-6Linux kernel 2.4.18 pre-5Linux kernel 2.4.18 pre-4Linux kernel 2.4.18 pre-3Linux kernel 2.4.18 pre-2Linux kernel 2.4.18 pre-1Linux kernel 2.4.18 x86Linux kernel 2.4.18 Linux kernel 2.4.17 Linux kernel 2.4.16 Linux kernel 2.4.15 Linux kernel 2.4.14 Linux kernel 2.4.13 + Caldera OpenLinux Server 3.1.1 + Caldera OpenLinux Workstation 3.1.1 Linux kernel 2.4.12 + Conectiva Linux 7.0 Linux kernel 2.4.11 Linux kernel 2.4.10 Linux kernel 2.4.9 Linux kernel 2.4.8 Linux kernel 2.4.7 + RedHat Linux 7.2 + S.u.S.E. Linux 7.1 + S.u.S.E. Linux 7.2
Linux kernel 2.4.6 Linux kernel 2.4.5 + Slackware Linux 8.0 Linux kernel 2.4.4 Linux kernel 2.4.3 Linux kernel 2.4.2 Linux kernel 2.4.1 Linux kernel 2.4 .0-test9Linux kernel 2.4 .0-test8Linux kernel 2.4 .0-test7Linux kernel 2.4 .0-test6Linux kernel 2.4 .0-test5Linux kernel 2.4 .0-test4Linux kernel 2.4 .0-test3Linux kernel 2.4 .0-test2Linux kernel 2.4 .0-test12Linux kernel 2.4 .0-test11Linux kernel 2.4 .0-test10Linux kernel 2.4 .0-test1Linux kernel 2.4
Referência: www.securityfocus.com/bid/13215
Sistemas Não Afetados ....
OpenBSD
Único sistema operacional testado que não é afetado até o momento
Últimas Descobertas
● Mac OS X Tiger ● NetBSD 2.0● FreeBSD 6.0 Beta● Linux 2.6.13RC3
Descobertos durante o What the Hack!
Advisories
http://nvd.nist.gov/nvd.cfm?cvename=CAN-2005-1184
www.securityfocus.com/bid/13215
Princípios básicos
Pacote Ethernet
* Tamanho [Bytes]
* Tamanho [ bits]
Pacote IP
Pacote TCP
* Tamanho [bits]
Three Way Handshake
A B
Conexão estabelecida
Encerramento de conexão
A B
Conexão encerrada
TCP Keep Alive
A B
Cenário anterior
TCP Keep Alive concluído
O Ataque
O Ataque
Detecta-se uma conexão TCP
Enxurrada de pacotes TCP ACK
Z
A B
Undead Attack
Z
A B
Cenário anterior
Enxurrada de pacotes TCP ACK
Cenários de Ataque
Cenário I Denial of Service (DDoS)
AlvoZumbi
Cenário IIDistributed Denial of Service (DDoS)
Alvo
Zumbi
Zumbi
Zumbi
Zumbi
Zumbi
Como defender?
Pacote forjado é perfeitamente aceito pelo receptor!
Screenshots
Windows 98 – Second Edition
Windows 2000 Server
Windows XP – Service Pack 2
Windows 2003 Server
Microsoft
“... At this point, we have completed our initial investigationof this issue and have determined that the most apropriate shipvehicle to fix this issue is a Service Pack for the affected suportedplataforms. This decision was arrived at after weighing theseriousness of the vulnerability as well as the likelihood ofexploitability. ...”
TCP/IP Illustrated – W. Richard Stevens
[Advisory] http://www.securityfocus.com/bid/13215 [Exploit] http://www.securityfocus.com/data/vulnerabilities/exploits/storm.c[What the Hack] http://wiki.whatthehack.org/index.php?title=Undead_Attack
Referências
Segurança é um processo e não um produto
Bruce Schneier Criador do Blowfish
