FEATURES & COMMENTARY
San Diego, CALIF. — Robert Lemos reports that security consultant BindView Corp. has announced that a widespread flaw in the way that servers handle Internet traffic could result in so-called denial-of-service attacks similar to the ones that plagued the Web last February.
The idea is nothing new: Send data to a server in a certain way so that the computer reserves memory and processor time for the connection – and repeat many, many times. When the server runs out of memory or slows down to a crawl, certain functions will stop responding.
And like other denial-of-service attacks, this one is hard to stop, because the traffic is not easily differentiated from the data that normally traverses the Net.
“It is not impossible to defend against when (operating-system makers) take it seriously – which they are,” said Bob Keyes, the BindView security engineer that found the problems.
“By having enough resources, the resource-deprivation attack is much less likely to succeed,” said Keyes. “Also, bug the vendors for a fix.”
The flaw affects Microsoft’s Windows NT, Novell, Solaris, and Linux servers as well as Windows 9x and Me. Windows 2000 is not affected. BindView notified Microsoft Corp. of the problem in June and submitted an advisory to the Computer Emergency Response Team at Carnegie Mellon University in October. Both organizations released alerts on Thursday.
“A lot of attention was paid, during the course of Windows 2000 development, to these sorts of network robustness issues,” said Steve Lipner, manager of Microsoft’s Security Response Center. “This is a place where that attention to detail paid off.”
BindView also provided an attack tool, dubbed “Naptha,” to the organizations to test their software for the family of flaws. “We are sort of in a bind,” said Keyes. “We want to make sure that people know – and can test – what’s out there, but on the other hand, we don’t want to tip our hands so that the bad guys can write a program that can do this.”
The Naptha tool was not publicly released and has an identifier – a line from a B-52s song – in the packet it sends as part of the attack, in case it gets leaked to the public.
“A lot of people are going to say that this is a known problem, because it is just resource starvation,” said Weld Pond, a hacker-cum-security-researcher at @Stake Inc. “But it’s one that needs to be fixed.”
============================================================