COMMAND
"Mac DoS Attack"
SYSTEMS AFFECTED
MacOS
PROBLEM
John Copeland found following. He discovered that Macintosh
computers running OS9 can be used to direct a stream of 1500-byte
ICMP datagrams at a target on the Internet. These ICMP datagrams
or triggered by 40-byte datagrams, so one "controller" computer
with a 1.3 Mbps Internet connection can focus the output of 37
slaves (combined output 45 Mbps) and block a DS-3 link.
Please read the story below and see more verification evidence on
one of the Web pages
http://csc.gatech.edu/~copeland
http://people.atl.mediaone.net/jacopeland
Then help get the word to owners of Macintoshes connected to cable
modems, ADSL modems, or LANs to install the patch that Apple has
developed. More details follow.
As part of ongoing research on Internet data communications and
cable modem operations, John has been using a second computer to
monitor the data packets that travel between my cable modem and
Macintosh computer at my home.
Internet <---> CATV coax <---> Cable Modem <---> Mac Computer
or ADSL Modem |
V
Monitor Computer
He noticed some strange packets that were causing an unexpected
response from his MacIntosh. These UDP packets were only 29 bytes
(characters) long, but they caused Macintosh to send back a 1500
byte packet. This returning packet was an Internet Control
Message Protocol (ICMP) packet, a type that sometimes has priority
over the TCP and UDP packets that carry data from computer to
computer over the Internet. Over the period Nov. 28 to Dec. 22
John saw these packets on five occasions. The first three came
from Italy, Duke University, and the Gulf via South Africa. The
latter two came from the same computer in the Arab Emirates.
These packets were "crafted," which means the data in them was
not normal. The first three had source and destination port
numbers (UDP addresses) fixed at 31790 and 31789. These numbers
are normally random between 1024 and 65,565. The latter two had
port numbers of 60,000 and 2140.
Copeland developed a concept of how these probe packets could be
used as part of a scheme to shut down organization's connections
to the Internet. To prove this scheme is feasible, he
successfully wrote and tested programs to implement the scheme
which is described below. The purpose of this scheme, which he
calls a "Mac Attack," is to generate a large amount of ICMP
Internet traffic going to a specific target. This scheme can be
easily replicated to attack many different targets, with little
chance that the perpetrators will be caught.
Phase I - Scanning
==================
A computer runs a program that sends UDP packets to every Internet
address in the range of addresses that are assigned to CATV cable
modems and to ADSL modems. Addresses that have Macintosh
computers attached and turned on will respond with the 1500-byte
ICMP packet. These addresses are kept in a list for Phase 2. We
will call the Macintosh computers at these addresses "slaves."
Phase 2 - Attack
=================
A computer at a location like Duke University is "root
compromised." This means the aggressor group has used one of the
many well-known techniques to gain the administrator password so
they can load their own programs, which may be scheduled to run
at a later time (like Christmas Eve or New Year's Eve). The
compromised computer is given a list of addresses for 40 slaves,
and the address of a specific target. The log files are erased
so that no one will later be able to tell who installed the
attack program. When the attack program starts running, it sends
trigger packets in rotation to the forty slaves on its list. The
source (return) Internet address is forged to be that of the
target. The forty slaves then send a 1500 byte ICMP packet to
the target each time they receive a 40-byte trigger packet.
If the attack computer sends 3000 40-byte trigger packets per
second (bit rate less than 1 Mbps), the slave will send 3000
1500-byte packets to the target (bit rate 45 Mbps).
|-----------> Slave ---------->|
Control |-----------> Slave ---------->|
Computer ------->|-----------> Slave ---------->|-------> Target
|-----------> Slave ---------->|
| * * * | 4000 1500-byte
4000 40-B pkt/s 100 40-B pkt/s 100 1500-B pkt/s ICMP pkts/s
to each slave from each slave 48 Mbps
This figure shows the process of "byte amplification."
The target organization, or organizations, is cut off from the
Internet because it's connection, a 1.5 Mbps (million bit per
second) T-1 or a 45 Mbps DS-3 digital line is swamped with ICMP
packets from forty different sources. Note that 30 different T-1
connections could be swamped by varying the return addresses in
the trigger packets).
Recovery
========
The FBI would have to approach the CATV company to get the owner's
names and addresses at the forty computers sending ICMP packets
to the target. Once a slave is located, the trigger packets are
examined, but appear from the Internet source address to be
coming from the target. Tracing spoofed packets (those with a
forged source address) back through the Internet is practically
impossible. To stop the attack, most of the slaves would have to
be shut down. Their owners would not be aware that their
Macintoshes were be being used to participate in the attack.
After a long delay, the attack computer might be located. There
would be no record of who installed the attack program, which may
even have have detected it's target was operating again and
erased itself.
SOLUTION
People who own Macintosh computers connected to high-speed
Internet connections, such as a cable modem,an ADSL modem, or a
corporate LAN, should turn off those computers, or disconnect
them from the network when they are not actively using the
network connection. They should install the OpenTransport
software patch available from Apple at
http://asu.info.apple.com/swupdates.nsf/artnum/n11559
The initial Apple patch for this problem fails for a variety of
machines. It appears to be an issue only with open transport
2.5.2 which is only present in os9 and os8.6 on select machines
(g4's with os 8.6 slot loading imacs etc).
Many organizations now discard incoming ICMP Echo-Request packets
at their Internet Firewall (to keep hackers from scanning their
network). This will not stop the UDP scanning packets described
above, and will not protect them if the incoming ICMP packets jam
their connection.