process.tbl.attcks.txt

`--------------------------------------------------------------  
This story was printed from ZDNN,  
located at http://www.zdnet.com/zdnn.  
--------------------------------------------------------------  
  
Major Unix flaw emerges  
By Randy Barrett, Inter@ctive Week Online  
March 1, 1999 9:30 AM PT  
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2217922,00.html  
  
A newly discovered Unix design flaw threatens thousands of computers that operate on the Internet.   
  
The vulnerability opens Unix-based servers to a new kind of denial-of-service attack that overloads the servers'  
ability to answer incoming queries, according to security expert and Internet service provider (ISP) owner Simson  
Garfinkel. Garfinkel's ISP, Vineyard.Net, experienced such an attack in early 1998, but Garfinkel soon realized the  
situation was an accident caused by a subscriber's faulty software.   
  
"The buggy software would finger our computer every minute, but it never hung up," Garfinkel said. By not terminating  
the connection, the program quickly loaded up his Unix server's "process tables" and brought the ISP to a standstill  
for two hours.   
  
"We didn't go looking for this. It hit us. It's not theoretical," Garfinkel said.   
  
The attack entails sending repeated open-connection requests to a Unix server. Subprograms - like Internet  
Daemon, Secure Shell Daemon and Internet Message Access Protocol Daemon - are written to automatically answer  
the connection and carry out requests. But if the connection is initiated with no request, most Daemons keep the line  
open, using resources from the server's process table, which can handle between 600 and 1,500 simultaneous tasks.  
Repeated connections eventually overload the process table and crash the server.   
  
Garfinkel publicly outlined the vulnerability - which affects nearly all Unix-based platforms, including Irix, Linux and  
Solaris - on a security newsgroup Feb. 19. This was after his repeated attempts to notify programmers at Berkeley  
Software Design Inc., Hewlett-Packard, Silicon Graphics Inc. and Sun Microsystems of the problem last year. None  
of the vendors gave it any notice, Garfinkel said.   
  
"It wasn't new enough to immediately gain attention. It's a design flaw, not a bug," said Gene Spafford, professor of  
computer science at Purdue University.   
  
Sabotage can come from outside  
Process table attacks are old news to Unix programmers, but Garfinkel discovered that the assault can come from the  
outside. Previously, developers only thought such sabotage could come from someone with internal access.   
  
AT&T Fellow Steven Bellovin said the vulnerability is real. "If I were running a popular server, I would at least try to  
add some resource limitation."   
  
Garfinkel said the servers most open to attack are those used for electronic mail, file serving and Web hosting.  
Protecting against it is relatively easy: Daemon programs can be rewritten to limit incoming connections or drop them  
after 30 seconds.   
  
"They need to have a governor installed," Garfinkel said.   
  
BSDI Director of Product Marketing Douglas Urner said the process table threat is hardly catastrophic. "In theory,  
there is a vulnerability here, which is like saying the gas in your car might explode."   
  
BSDI software safe  
Urner said the flaw probably wouldn't affect most BSDI software, because of existing safeguards.   
  
SGI Principal Engineer Bill Earl said the threat exists but isn't a big deal, because the Daemons can be easily  
configured to limit incoming connections.   
  
Red Hat Software spokeswoman Melissa London wasn't familiar with the process table problem, but she said holes  
in Linux usually are solved quickly on public open source bulletin boards. "If there is any breach, we'll work to fix it,"  
she said.   
  
A perceived lack of responsible vendor action to patch the problem is partly what spurred Garfinkel to make the attack  
known.   
  
"They don't do anything unless its publicly exposed," he said. "I can shut down any one of their servers on the Net."   
  
Hard to stay hidden  
But if he did, Garfinkel wouldn't be able to easily cloak his identity. Because the onslaught can take up to 10 hours to  
complete, Unix experts and vendors agree that maintaining stealth is nearly impossible.   
  
"It's an attack you're unlikely to see people get away with," Urner said.   
  
That fact doesn't assuage the fears of many Unix experts who take the vulnerability seriously as yet another sign that  
the Internet isn't robust enough to handle 21st century threats.   
  
"The real deeper problem is that the whole infrastructure is pretty rotten," said Peter G. Neumann, principal scientist  
at the Computer Science Lab at SRI International.  
`