Major Unix flaw emerges Built-in bug lets hackers shut down ISPs at will, but Unix vendors don't seem overly concerned. By Randy Barrett, Inter@ctive Week Online March 1, 1999 9:30 AM PT A newly discovered Unix design flaw threatens thousands of computers that operate on the Internet. The vulnerability opens Unix-based servers to a new kind of denial-of-service attack that overloads the servers' ability to answer incoming queries, according to security expert and Internet service provider (ISP) owner Simson Garfinkel. Garfinkel's ISP, Vineyard.Net, experienced such an attack in early 1998, but Garfinkel soon realized the situation was an accident caused by a subscriber's faulty software. "The buggy software would finger our computer every minute, but it never hung up," Garfinkel said. By not terminating the connection, the program quickly loaded up his Unix server's "process tables" and brought the ISP to a standstill for two hours. "We didn't go looking for this. It hit us. It's not theoretical," Garfinkel said. The attack entails sending repeated open-connection requests to a Unix server. Subprograms - like Internet Daemon, Secure Shell Daemon and Internet Message Access Protocol Daemon - are written to automatically answer the connection and carry out requests. But if the connection is initiated with no request, most Daemons keep the line open, using resources from the server's process table, which can handle between 600 and 1,500 simultaneous tasks. Repeated connections eventually overload the process table and crash the server. Garfinkel publicly outlined the vulnerability - which affects nearly all Unix-based platforms, including Irix, Linux and Solaris - on a security newsgroup Feb. 19. This was after his repeated attempts to notify programmers at Berkeley Software Design Inc., Hewlett-Packard, Silicon Graphics Inc. and Sun Microsystems of the problem last year. None of the vendors gave it any notice, Garfinkel said. "It wasn't new enough to immediately gain attention. It's a design flaw, not a bug," said Gene Spafford, professor of computer science at Purdue University. Sabotage can come from outside Process table attacks are old news to Unix programmers, but Garfinkel discovered that the assault can come from the outside. Previously, developers only thought such sabotage could come from someone with internal access. AT&T Fellow Steven Bellovin said the vulnerability is real. "If I were running a popular server, I would at least try to add some resource limitation." Garfinkel said the servers most open to attack are those used for electronic mail, file serving and Web hosting. Protecting against it is relatively easy: Daemon programs can be rewritten to limit incoming connections or drop them after 30 seconds. "They need to have a governor installed," Garfinkel said. BSDI Director of Product Marketing Douglas Urner said the process table threat is hardly catastrophic. "In theory, there is a vulnerability here, which is like saying the gas in your car might explode." BSDI software safe Urner said the flaw probably wouldn't affect most BSDI software, because of existing safeguards. SGI Principal Engineer Bill Earl said the threat exists but isn't a big deal, because the Daemons can be easily configured to limit incoming connections. Red Hat Software spokeswoman Melissa London wasn't familiar with the process table problem, but she said holes in Linux usually are solved quickly on public open source bulletin boards. "If there is any breach, we'll work to fix it," she said. A perceived lack of responsible vendor action to patch the problem is partly what spurred Garfinkel to make the attack known. "They don't do anything unless its publicly exposed," he said. "I can shut down any one of their servers on the Net." Hard to stay hidden But if he did, Garfinkel wouldn't be able to easily cloak his identity. Because the onslaught can take up to 10 hours to complete, Unix experts and vendors agree that maintaining stealth is nearly impossible. "It's an attack you're unlikely to see people get away with," Urner said. That fact doesn't assuage the fears of many Unix experts who take the vulnerability seriously as yet another sign that the Internet isn't robust enough to handle 21st century threats. "The real deeper problem is that the whole infrastructure is pretty rotten," said Peter G. Neumann, principal scientist at the Computer Science Lab at SRI International. From MAILER-DAEMON@cs.depaul.edu Mon Mar 1 13:00:15 1999