Naptha 1.1  10 July 2000
by Bob Keyes
(c) 2000 Bindview Corp. All Rights Reserved. 

-----
Requirements:
tested on Linux 2.2.x, OpenBSD 2.7, FreeBSD 4.0-RELEASE
libpcap - ftp://ee.lbl.gov/libpcap.tar.Z 
libnet 1.01b - http://www.packetfactory.net/libnet

If you get the error "LIBNET_ETH_H undeclared" when trying to compile, you
have an outdated version of libnet - go get version 1.01b.


-----
Usage:

In the current version, Naptha consists of three programs:

1) bogusarp - make a bogus entry in the router's arp cache so it actually
puts packets with our faked source address on the ethernet. This is done
by sending an arp query from the mac & ip we want cached ever 6.5 seconds.
This is an inelegant hack, and may be replaced in a future version with a
client that actually listens for requests for its IP address and responds
appropriately. Requires the listening ethernet interface (eth0,
ne3,...) to be specified on the command line.

2) synsend - a general purpose program that sends a syn from a host &
port to another host (or network) and port. Used to send the initial SYN
to the victim.

3) srvr - this replaces the ackfin program in naptha 1.0. On the command
line, one specifies the flags to be listened for in upper case. These are
indicated by the first letter of the flag. The flags to be set in the
response packet are the same letters, but in lower case. Flags may be
specified in any order. The functionality of the ackfin program is
obtainted by using the flags -SAaf with srvr.


Notes:
 currently supports ethernet only. The IP you use must be on your local
net, but not in use.

It is possible to run the synsend on a different host anywhere that will
allow you to specify the source address. 


-end
Abandoned TCP States
-----------------------------------------------
Robert Keyes of Bindview corporation
30 June 2000


Denial of Service attacks through resource starvation can be achieved by
creating a large number of TCP connections to a server.

In the past, implementing such an attack would drain the resources of the
attacker as quickly as the victim, so the attack was not practical. The
invention of the SYN flood showed that it was possible to create problems
for a victim server without much trouble for the attacker. Solutions were
found and implemented.

However, a more sophisticated attack is possible. By completing the
three-way TCP handshake, many SYN flood abatement schemes are defeated.
Buffer space can be exhausted, and many spawned application processes rob
the system of memory until it fails.

Systems that fail to time-out inactive connections, or have the time-out
value set too high, are especially vulnerable to this type of attack.

over several months of investigation, I have found that almost every OS is
vulnerable to attack to some degree. To my great chagrin, the only one to
so far escape unscathed is Windows 2000. To balance the scales, however, I
will here detail one type of attack against Windows 95, 98 and NT4.

attacker -> victim: SYN
victim -> attacker: SYN ACK
attacker -> victim: ACK FIN
victim -> attacker: ACK FIN
....(time goes by, victim hears no response)...
victim -> attacker: ACK FIN
.....
victim -> attacker: ACK FIN
.....


If someone logged into the victim system were to issue a netstat command,
they would see a large number of connections in the LAST_ACK state, and
the connections may stay in that state for a long time before the server
times them out and closes them.

How many connections are necessary to cause a crash?

Windows 98 took only 103 connections in LAST_ACK before the Netbios
service was shut down.To restart it requires the system to be rebooted.

Windows NT4sp6 server took 1057 connections to Netbios before the service
crashed. To recover, and operator can stop and restart the service. The
web server took 1643 connections before closing. It can be restarted in a
similar way.

I have done much more research on the limits of various operating systems
and their vulnerability to Abandoned TCP State attacks, but these stand
out because:

1) common platform
2) common and important services
3) service does not recover after attack stops (other attacks can crash &
   reboot the machine, which hopefully would be able to start the services
   again. This attack requires operator intervention)
4) The relatively small number of packets required (this attack could be
   carried out over a low-speed dialup connection)

Other, similar vulnerabilities in a variety of operating systems will be
disclosed shortly.

Robert Keyes
bkeyes@razor.bindview.com
Bindview Corporation - makers of the HackerShield Security Scanner.
