A fairly serious flaw that was announced in October 2008 by Outpost24 (and apparently discovered way back in 2005), has finally been patched by the major players Cisco and Microsoft.

So far Redhat has offered a workaround for the flaw and Juniper has responded that their equipment is not vulnerable.

It could be that Juniper doesn’t really understand the attack yet, if so that’s bad news as most of the Internet backbone (ISP Level) runs on Juniper equipment.

Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.

The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.

“This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own,” Lee told The Register. “This really is good progress from both Microsoft and Cisco.”

Microsoft rolled it out in their normal “Patch Tuesday” fashion and Cisco issued a bulletin about especially disruptive DoS attacks.

Good to see it being addressed finally, I guess it took Microsoft some time and money in R&D to come up with a satisfactory solution.

I wonder if any other vendors will be following suite shortly.

On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee. The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected.

The update from Microsoft came during the company’s Patch Tuesday, in which it fixed a total of eight security vulnerabilities in various versions of its Windows operating system. In all, Microsoft issued five patches, which change the way Windows processes javascript, MP3 audio files and wireless signals. As always, the Sans Institute provides a helpful overview here.

Cisco issued it’s own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive.

It’s often hard to fix problems like this in core components because a band-aid solution could end up breaking some of the functionality, especially with something like the TCP stack which is relied on so heavily.

Even then, a patch is released but how many people actually apply it? Cisco equipment is well known for being hard to manage/patch so I’d imagine many network devices will remain unpatched.

Source: The Register

We first wrote about Complemento 0.4b a little while ago when it first hit the public domain just last month (December 2008).

Now there have been 2 major updated versions, the latest being 0.6.

What is Complemento?

Complemento is a collection of tools that the author originally created for his own personal toolchain for solving some problems or just for fun. Now he has decided to release it to the public.

LetDown is a TCP flooder written after the author read the article by fyodor entitled article “TCP Resource Exhaustion and Botched Disclosure“. It has an (experimental) userland TCP/IP stack, and support multistage payloads for complex protocols, fragmentation of packets and variable TCP window.

ReverseRaider is a domain scanner that uses brute force wordlist scanning for finding a target sub-domains or reverse resolution for a range of ip addresses. This is similar to some of the functionality in DNSenum. It supports permutation on wordlist and IPv6.

Httsquash is an HTTP server scanner, banner grabber and data retriever. It can be used for scanning large ranges of IP addresses and finding devices or HTTP servers (there is an alpha version of a GUI for this). It supports IPv6 and personalized HTTP requests.

Improvements for v0.6

LetDown:

• New (experimental) userland TCP stack
• Support for multistage payloads (for complex and stateful protocol, such as FTP, SMTP…)
• Variable TCP Window size
• Fragmentation of packets
• Polite mode (ACK received packets and/or closing the connection with FIR or RST packets)

ReverseRaider:

• Support for IPv6

HttSquash:

• Support for IPv6

You can download Complemento v0.6 here:

complemento-0.6

Or read more here.

An interesting collection of tools for pen-testing including a DoS tool (something you don’t often see publicly released).

Complemento is a collection of tools that the author originally created for his own personal toolchain for solving some problems or just for fun. Now he has decided to release it to the public.

The Tools

LetDown is a TCP flooder written after the author read the article by fyodor entitled article “TCP Resource Exhaustion and Botched Disclosure“.

ReverseRaider is a domain scanner that uses brute force wordlist scanning for finding a target sub-domains or reverse resolution for a range of ip addresses. This is similar to some of the functionality in DNSenum.

Httsquash is an HTTP server scanner, banner grabber and data retriever. It can be used for scanning large ranges of IP addresses and finding devices or HTTP servers (there is an alpha version of a GUI for this).

You can download Complemento v0.4b here:

complemento-0.4b

Or read more here.