COMMAND

    "Mac DoS Attack"

SYSTEMS AFFECTED

    MacOS

PROBLEM

    John  Copeland  found  following.   He  discovered  that Macintosh
    computers running OS9 can be used to direct a stream  of 1500-byte
    ICMP datagrams at a target on the Internet.  These ICMP  datagrams
    or triggered  by 40-byte  datagrams, so  one "controller" computer
    with a  1.3 Mbps  Internet connection  can focus  the output of 37
    slaves (combined output 45 Mbps) and block a DS-3 link.

    Please read the story below and see more verification evidence  on
    one of the Web pages

        http://csc.gatech.edu/~copeland
        http://people.atl.mediaone.net/jacopeland

    Then help get the word to owners of Macintoshes connected to cable
    modems, ADSL modems, or LANs to install the patch that Apple has
    developed.  More details follow.

    As part of  ongoing research on  Internet data communications  and
    cable modem operations, John has  been using a second computer  to
    monitor the data  packets that travel  between my cable  modem and
    Macintosh computer at my home.

    Internet <---> CATV coax <---> Cable Modem <---> Mac Computer
                                  or ADSL Modem  |
                                                 V
                                          Monitor Computer

    He noticed some  strange packets that  were causing an  unexpected
    response from his MacIntosh.  These UDP packets were only 29 bytes
    (characters) long, but they caused  Macintosh to send back a  1500
    byte  packet.   This  returning  packet  was  an  Internet Control
    Message Protocol (ICMP) packet, a type that sometimes has priority
    over the TCP  and UDP packets  that carry   data from computer  to
    computer over the Internet.   Over the period Nov.  28 to Dec.  22
    John saw these  packets on five  occasions.  The  first three came
    from Italy, Duke University, and  the Gulf via South Africa.   The
    latter  two  came  from  the  same  computer in the Arab Emirates.
    These packets  were "crafted,"  which means  the data  in them was
    not  normal.   The  first  three  had  source and destination port
    numbers (UDP addresses) fixed at  31790 and 31789.  These  numbers
    are normally random between 1024  and 65,565.  The latter  two had
    port numbers of 60,000 and 2140.

    Copeland developed a concept of  how these probe packets could  be
    used as part of a  scheme to shut down organization's  connections
    to  the  Internet.    To  prove  this   scheme  is  feasible,   he
    successfully wrote  and tested  programs to  implement the  scheme
    which is described  below.  The  purpose of this  scheme, which he
    calls  a  "Mac  Attack,"  is  to  generate  a large amount of ICMP
    Internet traffic going to a  specific target.  This scheme  can be
    easily replicated  to attack  many different  targets, with little
    chance that the perpetrators will be caught.

    Phase I - Scanning
    ==================
    A computer runs a program that sends UDP packets to every Internet
    address in the range of addresses that are assigned to CATV  cable
    modems  and  to  ADSL  modems.   Addresses  that  have   Macintosh
    computers attached and turned  on will respond with  the 1500-byte
    ICMP packet.  These addresses are kept in a list for Phase 2.   We
    will call the Macintosh computers at these addresses "slaves."

    Phase 2 -  Attack
    =================
    A  computer  at   a  location  like   Duke  University  is   "root
    compromised."  This means the aggressor group has used one of  the
    many well-known techniques to  gain the administrator password  so
    they can load  their own programs,  which may be  scheduled to run
    at a  later time  (like Christmas  Eve or  New Year's  Eve).   The
    compromised computer is given a  list of addresses for 40  slaves,
    and the address of  a specific target.   The log files are  erased
    so  that  no  one  will  later  be  able to tell who installed the
    attack program.  When the attack program starts running, it  sends
    trigger packets in rotation to the forty slaves on its list.   The
    source  (return)  Internet  address  is  forged  to be that of the
    target.  The  forty slaves then  send a 1500  byte ICMP packet  to
    the target each time they receive a 40-byte trigger packet.

    If  the  attack  computer  sends  3000 40-byte trigger packets per
    second  (bit  rate  less  than  1  Mbps), the slave will send 3000
    1500-byte packets to the target (bit rate 45 Mbps).

                     |-----------> Slave ---------->|
    Control          |-----------> Slave ---------->|
    Computer ------->|-----------> Slave ---------->|-------> Target
                     |-----------> Slave ---------->|
                     |               * * *          | 4000 1500-byte
    4000 40-B pkt/s  100 40-B pkt/s   100 1500-B pkt/s  ICMP pkts/s
                     to each slave    from each slave    48 Mbps

    This figure shows the process of "byte amplification."

    The target  organization, or  organizations, is  cut off  from the
    Internet  because  it's  connection,  a  1.5 Mbps (million bit per
    second) T-1 or a  45 Mbps DS-3 digital  line is swamped with  ICMP
    packets from forty different sources.  Note that 30 different  T-1
    connections could be  swamped by varying  the return addresses  in
    the trigger packets).

    Recovery
    ========
    The FBI would have to approach the CATV company to get the owner's
    names and addresses  at the forty  computers sending ICMP  packets
    to the target.  Once a  slave is located, the trigger packets  are
    examined,  but  appear  from  the  Internet  source  address to be
    coming from  the target.   Tracing spoofed  packets (those  with a
    forged source address) back  through the Internet is   practically
    impossible.  To stop the attack, most of the slaves would have  to
    be  shut  down.   Their  owners  would  not  be  aware  that their
    Macintoshes  were  be  being  used  to  participate in the attack.
    After a long delay, the  attack computer might be located.   There
    would be no record of who installed the attack program, which  may
    even  have  have  detected  it's  target  was  operating again and
    erased itself.

SOLUTION

    People  who  own  Macintosh  computers  connected  to   high-speed
    Internet connections, such  as a cable  modem,an ADSL modem,  or a
    corporate  LAN,  should  turn  off  those computers, or disconnect
    them  from  the  network  when  they  are  not  actively using the
    network  connection.   They   should  install  the   OpenTransport
    software patch available from Apple at

        http://asu.info.apple.com/swupdates.nsf/artnum/n11559

    The initial Apple  patch for this  problem fails for  a variety of
    machines.   It appears  to be  an issue  only with  open transport
    2.5.2 which is  only present in  os9 and os8.6  on select machines
    (g4's with os 8.6 slot loading imacs etc).

    Many organizations now discard incoming ICMP Echo-Request  packets
    at their Internet  Firewall (to keep  hackers from scanning  their
    network).  This will not  stop the UDP scanning packets  described
    above, and will not protect them if the incoming ICMP packets  jam
    their connection.