Information Security News mailing list archives
Internet community prepares for a "Jolt"
From: William Knowles <wk () C4I ORG>
Date: Mon, 12 Jun 2000 10:23:51 -0500
I had the opportunity to see and hear Lance Spitzer's talk about this at the Chicago AIP Computer Security SIG back in May and I would highly recommend any Information Security professionals in the Midwest to look into the Security SIG the Chicago AIP has. http://www.egroups.com/group/chicago-security Cheers! William Knowles wk () c4i org Corporations and firewall vendors are on high alert today following reports about another potentially destructive denial-of-service (DoS) tool. A recently released DoS tool called "Jolt 2" can be used to overwhelm a number of popular commercial firewalls with fragmented IP packets, causing near 100 percent CPU saturation and possible crashes. As Security Wire Digest went to press Friday night, only Check Point's FireWall-1 had been publicly confirmed as vulnerable to the Jolt attack. However, internal tests at security firm ICSA.net proved that at least six other firewall brands were also vulnerable; the specific firewall brands were not being announced to the public until the affected vendors could develop workarounds or patches. Lance Spitzer, a security researcher at Sun Microsystems, discovered the Check Point vulnerability in late May when testing how FireWall-1 addresses IP fragmentation. According to Spitzer's research, which he shared with Check Point prior to publishing, the attack capitalizes on the fact that FireWall-1 doesn't usually inspect or log fragmented packets until those packets are reassembled. Since the Jolt tool sends only fragmented packets, FireWall-1 consumes all its CPU power attempting to reassemble them, denying service to other requests and services. "We verified that this is an issue. This is an attack and several applications are vulnerable to it, including Firewall-1," Greg Smith, Check Point's director of product marketing, told Information Security magazine. "Firewall-1 is vulnerable to it, but it is not Firewall-1 specific. It would affect other firewalls as well." By mid-last week, Check Point had released a workaround to the attack (see http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html ). Smith says Check Point will release a permanent fix in the next release of Firewall-1, which will be available at the end of June. "It's not the OS code that's bogging down, or the firewalling code that's bogging down. It's the reassembly prior to logging code that is bogging down," commented Al Potter, manager of the network security labs at ICSA.net. Potter's assessment is supported by Check Point's workaround solution, which essentially turns off console logging in order to free up CPU resources. The larger concerns about Jolt are not about version 2 itself, but about the potential for malicious hackers to improve on the existing source code to create a more destructive tool. Jolt 2 is only 170 lines long, and is cobbled together from other attack scripts. In fact, comments in the source code, written by "Phonix," confirm the tool's patchwork origin: "This is the proof-of-concept code for the Windows denial-of-serice [sic] attack.... This code causes cpu utilization to go to 100%. Tested against: Win98; NT4/SP5,6; Win2K.... This is standard code. Ripped from lots of places.... It's a trivial exploit, so I won't take credit for anything except putting this file together." The code also reportedly contains several coding errors that, if fixed, would result in a more dangerous tool. "Jolt 2 is not a particularly robust hammer," says Potter. "A journeyman-level coder could tune it up with considerably little effort." "This is going to get worse before it gets better," Potter added. Though there were no reports of attacks as of Friday evening, licensees of all commercial firewall brands are encouraged to monitor their firewall vendor's Web sites for additional news and updates. Because configuration changes to the firewall itself will not stop this attack, all Internet-facing routers can be temporarily configured to drop fragmented packets. Spitzer's paper: http://www.enteract.com/~lspitz/fwtable.html Check Point's workaround: http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Internet community prepares for a "Jolt" William Knowles (Jun 12)