Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Microsoft and the Dreaded Syn-scan

By Inoshiro in News
Sun Feb 27, 2000 at 07:34:57 PM EST
Tags: etc (all tags)

Wired has a story about Microsoft weathering what they called a Denial of Service attack. Which is fine, because it was, but then they went and compared it to the greater DDoS attacks. Click for an analysis..

The article starts off by being very dramatic with the words "Microsoft said on Wednesday that hackers had tried to topple its corporate Web sit" ... Not that people haven't tried that before. Just like in that awful Will Smith vehicle, Independence Day, where the average LA populace shot at the UFOs, many people take potshots at microsoft.com daily.

They talk about the "very minor" slowdown. Interesting how they trump up how dangerous it was, then reveal it was only "a 3 to 7 percent slowdown." Sounds like a spin-doctor attack to me.

Then they talk about the recent DDoSes, which were bandwidth based attacks, and reveal that: "Instead, Microsoft suffered what Sohn called a "syn-flood" attack" Ooh, not a syn-flood! And, if the article is to be believed, it took actual admins to deal with this -- their firewall machines have no capabilites for automatically blocking port scans or syn floods, etc.

If you've ever had the pleasure to administrate OpenBSD or Slackware Linux (with some extra packages) as a firewall, you know that they can easily handle syn-scans without operator intervention. So what does Microsoft use that requires such babying?

From an NT support flier: "Ever had that feeling of ACUTE PANIC that a hacker has invaded your network? Plug NT's holes before they plug you. There are now over 750 known NT vulnerabilities. You just have to protect your LAN _before_ it gets attacked. "

Ahh, proactive security. Who needs it?

PS: it's really a shame that the spin-doctors at MS who wanted to show how powerful MS is didn't realise that a syn-scan is like someone ringing your doorbell and running away, in terms of how much of a denial of service it is.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o Wired
o a story
o Also by Inoshiro

Display: Sort:
Microsoft and the Dreaded Syn-scan | 15 comments (15 topical, editorial, 0 hidden)
I never could get intrested in thes... (1.00 / 2) (#6)
by FlinkDelDinky on Sun Feb 27, 2000 at 03:37:14 PM EST

FlinkDelDinky voted 0 on this story.

I never could get intrested in these security issues. It seems like a speciality topic that could be usefull to a few of us.

Interesting analysis. I'd like to k... (1.00 / 1) (#1)
by rusty on Sun Feb 27, 2000 at 04:56:17 PM EST

rusty voted 1 on this story.

Interesting analysis. I'd like to know what everyone else thinks about this. Is it really that simple? Or is there something we're overlooking?

Not the real rusty

Re: Interesting analysis. I'd like to k... (4.50 / 2) (#8)
by Inoshiro on Sun Feb 27, 2000 at 09:35:41 PM EST

Well, a syn-flood is basically a bunch of packets requesting a TCP connection. If your server is a smart one, like Linux or a BSD, it will first do source validation ("is this from an insanely unreachable IP? Does this originate from the same IP as it claims to be from?"), and secondly check for things via the syn-cookies (at least on Linux).

From configure.help:
"Normal TCP/IP networking is open to an attack known as "SYN flooding". This denial-of-service attack prevents legitimate remote users from being able to connect to your computer during an ongoing attack and requires very little work from the attacker, who can operate from anywhere on the Internet.

SYN cookies provide protection against this type if attack. If you say Y here, the TCP/IP stack will use a cryptographic challenge protocol known as "SYN cookies" to enable legitimate users to continue to connect, even when your machine is under attack. There is no need for the legitimate users to change their TCP/IP software; SYN cookies work transparently to them. For technical information about SYN cookies, check out ftp://koobera.math.uic.edu/syncookies.html.

There are some other details in there, but this is truly a trivial thing to deal with if you have a properly setup firewall or webserver. The DDoSes, OTOH, genuinely used an attack method that was fairly effective, if not exactly groundbreaking. Using a huge cluster of compromised machines in concert to fill the bandwidth is something that has been possible for years, but that no one has actually executed. This is why the syn-flood story on wired.com is, well, pathetic, and shows a genuine lack of understanding of DoS attacks in today's technical journals. Router level traffic quotas will address the problems exposed by the DDoSes, but don't expect to see Cisco et all actually produce such a useful device for a few months/years.

FYI: Microsoft also seems to have turned off all forms of ICMP at their router/firewall level, which is very silly as it blocks genuine clients and does not affect malicous people (much).

[ イノシロ ]
[ Parent ]
Re: Interesting analysis. I'd like to k... (3.50 / 2) (#12)
by rusty on Sun Feb 27, 2000 at 10:44:38 PM EST

Good explanation. Of course, I knew this. :-) But others might not have. I actually meant, was that really all there was to the MS "attack"? I liked the part in the article where the "technicians" who "were in a heightened state of alert" dropped the route to the attacker.

Man, my machines do that for me, then send a polite email to tell me about it. Even when I'm in a "lowered state of total sleep". Isn't that what machines are for? ;-)

Overall, the article was exciting, fraught with apparent danger, and ultimately featured admins triumphant. I give it two thumbs up.

Oh, wait, that wasn't fiction?

Not the real rusty
[ Parent ]

But DDoS is not necessarily blockable (2.00 / 1) (#13)
by Imperator on Mon Feb 28, 2000 at 12:33:28 AM EST

Imagine you've got a box running FooWebServer on port 80. You've got a T1 that provides three times as much bandwidth as you normally need, because all you have is a small little commerce site.

Suddenly, a flood of TCP connections come in on port 80. Your legitimate customers notice a very slow response time, because your server is bogged down with what appears to be normal HTTP traffic (and may well be just a bunch of HTTP traffic pulling pages to /dev/null repeatedly).

Or perhaps you're getting something that your router or firewall blocks. Your server is sitting idle because your incoming bandwidth is used by these useless packets that aren't even reaching their destination.

A distributed DoS attack is not necessarily blockable. Router level traffic quotas won't help if 99% of the packets the router receives are rejected, and only 5% of real packets make it to the router because the incoming bandwidth is overwhelmed.

[ Parent ]
Re: But DDoS is not necessarily blockable (none / 0) (#14)
by Inoshiro on Mon Feb 28, 2000 at 01:40:12 AM EST

This can be procted against via ingress and egress filtering. If you are a user on an ISP, and you suddently start broadcasting the infamous ping of death packet, shouldn't your ISP kill them before they leave into the internet at large? And, if said packets are inbound, shouldn't they be stopped before they hit user machines?

Hell yeah :-) This is why ingress and egress filtering will protect people from most forms of attacks.

However, you are correct in that if enough machines are clustered together, they can use a relatively low bandwidth on their end, but use up all the target's bandwidth. But it is still possible to detect, at the router that is situated between the internet and the T1 Line, that certain sets of IPs are requesting a large amount of transactions.. IE: more than is normal.

ASCII diagram:
[FooWebServer] ==T1== [Router] ===Internet== [Attackers]

Since the unusual actions are being blocked before the T1 even sees the traffic, our good ol' buddies at FooWebServer can keep serving up their own unique brand of humour :-)

As for the incoming requests that lead to invalid returns, that should be taken care of with the ingress/egress filtering I mentioned.

Of course, you could always have a larger cluster of compromised machines that can look more like "normal" traffic and fill up a router, which is why it is important to simply make sure all machines are secured. Thanks to Microsoft and shoddy software vendors, this is nearly impossible, and why I make sure all my machines are firewalled, and have ingress/egress filtering to minimize the probability that they will be involved in a DDoS.

Of course, the slashdot effect will still neatly take down servers as it is legitamite traffic, even if a bit overwhellming :-)

[ イノシロ ]
[ Parent ]
Decently informative, but just not ... (1.00 / 1) (#4)
by Demona on Sun Feb 27, 2000 at 05:08:23 PM EST

Demona voted 0 on this story.

Decently informative, but just not quite newsworthy enough.

Microsoft BS doesn't really interes... (2.00 / 1) (#7)
by neonman on Sun Feb 27, 2000 at 05:20:54 PM EST

neonman voted -1 on this story.

Microsoft BS doesn't really interest me. we all (or at least most of us) already know the virtues and what not of open source security. I use linux for firewalling and routing, etc. I just don't think another instance of "microsoft is dumb" is worthy of an article. I've already seen that for myself. This submission might have a better chance on slashdot.
Aaron Grogan

This is a better quality of Microso... (3.00 / 1) (#3)
by Nyarlathotep on Sun Feb 27, 2000 at 05:28:42 PM EST

Nyarlathotep voted 1 on this story.

This is a better quality of Microsoft trashing then your average slashdot article, i.e. the article actually says a little something. It dosn't say much, but it is still better then slashdot saying "Microsoft said bla" and letting the users post 100 messages like the above post.
Campus Crusade for Cthulhu -- it found me!

ms bashing... i'm not swayed enough... (2.00 / 1) (#2)
by ramses0 on Sun Feb 27, 2000 at 06:41:48 PM EST

ramses0 voted 0 on this story.

ms bashing... i'm not swayed enough by this issue to want to see it on the front page, but very nice write-up, inoshiro
[ rate all comments , for great justice | sell.com ]

Write ups, et all. (2.50 / 2) (#9)
by Inoshiro on Sun Feb 27, 2000 at 09:38:42 PM EST


Seeing as you liked the write up, would you also consider it nice if I say did a security feature regularly? Perhaps a summary of recent bugtraq postings, as well as some "Dry theory" ? :-)

[ イノシロ ]
[ Parent ]
Re: Write ups, et all. (2.00 / 1) (#10)
by FlinkDelDinky on Sun Feb 27, 2000 at 10:09:07 PM EST

Actually, I would enjoy security articles that did two things:

1. Take recent security breaches (from whatever OS, I would prefer Linux because that's what I use and want to learn about, other have different strokes though).

These security issues could be taken from bugtrack; which I've heard of because it's listed at: http://www.sourceware.net/sourceware/

2. This is the important one, explain that security breach to people that don't do security. That means all acronyms are spelled out end briefly explained.

That would be interesting. Maybe if a poster gets a high average rating kuro5shin can give him his own section to make "narrow" focuse articles?

[ Parent ]
Re: Write ups, et all. (2.00 / 2) (#11)
by rusty on Sun Feb 27, 2000 at 10:27:20 PM EST

I'd love to see security articles.

Not the real rusty
[ Parent ]
doesn't really float my boat either... (1.00 / 1) (#5)
by rajivvarma on Sun Feb 27, 2000 at 07:08:15 PM EST

rajivvarma voted 0 on this story.

doesn't really float my boat either way

Rajiv Varma
Mirror of DeCSS.

Re: Microsoft and the Dreaded Syn-scan (2.00 / 1) (#15)
by Strider on Mon Feb 28, 2000 at 11:11:31 AM EST

...about 3 to 7 percent, Microsoft spokesman Adam Sohn said.

That meant some people who clicked on a Web page on the site failed to see it the first time they tried.

Sounds like every other time I have tried to access the microsoft website. So what's new?

"it's like having gravity suddenly replaced by cheez-whiz" - rusty
Microsoft and the Dreaded Syn-scan | 15 comments (15 topical, 0 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!