The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of TCP: denial of service Sockstress

Synthesis of the vulnerability 

An attacker can use a small TCP Window, in order to overload a TCP server.
Impacted products: ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, StoneGate Firewall, StoneGate IPS, SLES, Unix (platform) ~ not comprehensive.
Severity of this bulletin: 2/4.
Creation date: 01/10/2008.
Revisions dates: 20/10/2008, 09/09/2009.
Références of this threat: 109444, 110132, 267088, 6759500, 967723, BID-31545, c01923093, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, cpujul2012, CVE-2008-4609, FICORA #193744, HPSBMI02473, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SSRT080138, SUSE-SA:2009:047, VIGILANCE-VUL-8139, VU#723308.

Description of the vulnerability 

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it lowers the value of the "window" field. The remote host then has to send data slowly.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

There are several attack variants, related to the window size or to a temporary increase of window size. The VIGILANCE-VUL-8844 vulnerability can be seen as a variant.

When the attacker stops sending packets, the denial of service stops. However, some additional implementations errors (such as the Microsoft CVE-2009-1926 vulnerability of VIGILANCE-VUL-9008, or the Cisco Nexus 5000 vulnerabilities described in the solution for Cisco) cause a permanent denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security vulnerability impacts software or systems such as ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, StoneGate Firewall, StoneGate IPS, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this computer weakness bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this security note.

Solutions for this threat 

TCP: workaround for Sockstress/Nkiller2.
Some firewalls (such as Juniper or NetASQ) implement a protection against this attack.
When the attack is not distributed, the IP address of the attacker can be blocked.
Services reachable from the internet, and which wait data before replying (such as HTTP), have to be configured against distributed denials of service.
Some network devices (such as Cisco) can also be configured against distributed denials of service.

Blue Coat: solution for Sockstress/Nkiller2.
A solution is available:
Blue Coat iShared :
  https://bto.bluecoat.com/doc/12152
Blue Coat Director :
  https://bto.bluecoat.com/doc/12150
Blue Coat IntelligenceCenter :
  https://bto.bluecoat.com/doc/12151
Blue Coat ProxySG :
  https://bto.bluecoat.com/doc/12154
Blue Coat ProxyAV :
  https://bto.bluecoat.com/doc/12153

Check Point VPN-1: version for Sockstress/Nkiller2.
The Check Point announce indicates corrected versions.

Cisco Catalyst Blade Switch: patch.
A firmware is available in information sources.

Cisco: solution for Sockstress/Nkiller2.
The Cisco announce indicates corrected versions.
A workaround is to filter access to TCP services.

F5 BIG-IP: workaround for Sockstress/Nkiller2.
A workaround is to setup protections against denials of service (SOL7301).
The SOL10509 indicates corrected versions.

Linux kernel: workaround for Sockstress/Nkiller2.
Following rules can be used to limit the number of connections coming from an IP address:
  iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --tcp-flags FIN FIN -m recent --remove
  iptables -A INPUT -p tcp -m recent --set
  iptables -A INPUT -p tcp -m recent --update --seconds 300 --hitcount 10 -j DROP

Solaris: CPU of July 2012.
A Critical Patch Update is available:
  http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1446033.1

Solaris: workaround for TCP.
A workaround is to use ipfilter during an attack.
Build 131 of OpenSolaris is corrected.

StoneGate: corrected versions.
Following versions are corrected, and will be available on October 2009:
 - StoneGate Firewall/VPN 4.2.11 or 5.0.3
 - StoneGate IPS 4.2.4, 4.3.7 or 5.0.2
A workaround is to limit direct access to services of the product.

SUSE: workaround for Sockstress/Nkiller2.
A workaround is to filter attack IPs.

Windows: patch for TCP.
A patch is available:
Windows Server 2003 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=48d82036-2fde-4bb0-a60e-92eed83ddc3f
Windows Server 2003 x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=e0298ddf-026e-4137-8197-ed9d9b889825
Windows Server 2003 Itanium SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=c948c4d8-5788-4c1a-9fb6-a969b06a888d
Windows Vista Gold, SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=7d72f845-9feb-4685-a669-f9d6ab54f9ed
Windows Vista x64 Gold, SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=b2930ff1-5f0a-4a5d-bf2a-9fb76dd8da63
Windows 2008 32-bit Gold, SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=35c1d5a9-a953-4fc6-90c0-d2358c7b89e6
Windows 2008 x64 Gold, SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=6e46822e-f79d-492d-ad01-ee680ad324f5
Windows 2008 Itanium Gold, SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=2ac76ee2-b1b6-4300-9cba-af33d9dd54eb
The Microsoft announce indicates workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides applications vulnerabilities alerts. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.