From agent99@boytoy.csd.sgi.com Thu Sep 19 15:43:55 1996 Date: Thu, 19 Sep 1996 14:15:21 -0700 From: SGI Security Coordinator To: agent99@boytoy.csd.sgi.com Subject: SGI Security Advisory, 19960901-01-A, TCP SYN Denial of Service Attack DISTRIBUTION RESTRICTIONS: FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: TCP SYN Denial of Service Attack Title: CERT(sm) Advisory CA-96.21 Number: 19960901-01-A Date: September 19, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. ______________________________________________________________________________ - ----------------------------- - --- Background and Impact --- - ----------------------------- Recently, two alternative technical magazines published articles expanding upon other older documents and discussions about possible "Denial of Service" (DoS) attacks in the TCP/IP protocol. These recent articles included code to accomplish a SYN Denial of Service attack. Silicon Graphics Inc. acknowledges and is aware of the SYN Denial of Service Attack vulnerability as described in these two articles, and as discussed in various security related mailing lists, Internet newsgroups and other public media and in CERT(sm) Advisory CA-96.21. Silicon Graphics is currently investigating and working with other vendors and security organizations regarding this issue. At this time, Silicon Graphics can only provide the following information. Since the very nature of this attack is an abuse of the defined standard for the TCP/IP protocol, this vulnerability exists to to some degree in all TCP/IP implementations the entire Silicon Graphics Inc., product line. Due to the worldwide encompassing nature of this problem, a worldwide solution needs to be developed to ensure interoperability, stability and effectiveness. Silicon Graphics is working closely with other vendors, standards groups and external security organizations to accomplish these goals. Please note that a Denial of Service attack does not indicate that a system has had it's security compromise. However, a Denial of Service attack could be used to divert attention from actual intrusion activity. Silicon Graphics regrets that no other information is available at this time. As further information becomes available, additional advisories will be released. In accordance with Silicon Graphics standard operating policy and for the protection of all our customers, all information on security matters will be provide to all customers at the same time. Please note that the support organizations of Silicon Graphics will not assist with public security recommendations, fixes or programs. In order to provide the highest levels of service, all SGI resources will be focused on providing a complete SGI solution. Requests for assistance with 3rd party security recommendations, fixes or programs will be redirected to the originating 3rd party. - -------------------------------------- - --- Attack Detection and Reporting --- - -------------------------------------- During normal operation detecting an attack may be difficult since the attack only effects new incoming network connection attempts. Existing incoming network connections as well as outgoing connections will continue to function properly. If an attack is suspected, any user on the system can execute the following command: % netstat -a -f inet If a large number of the connections are in the state of "SYN_RECEIVED", this is a possible indication of a SYN Denial of Service attack is occurring. Sites experiencing SYN Denial of Services attacks should report these attacks to the Computer Emergency Response Team/CERT(sm) Coordination Center. The CERT(sm) Coordination Center can be contacted at: CERT(sm) Coordination Center Internet: cert@cert.org Phone: +1 412 / 268-7090 FAX: +1 412 / 268-6989 http://www.cert.org/ - ---------------------------------------- - --- Silicon Graphics Inc. Disclaimer --- - ---------------------------------------- Silicon Graphics provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall SGI be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. ------oOo------ Silicon Graphics provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The Silicon Graphics Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/Secur/security.html. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ Silicon Graphics provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/Support/Secur/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ Silicon Graphics provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/Secur/security.html. ------oOo------ For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMkG06rQ4cFApAP75AQFZ1QQAvcml1vQnRQDs7ZaFWWVN+OGfkOzyh2l/ HaSOfdmA1JZZ9xdis/jbR6YWYqGRYjxCVW3ugrCWjg2ir6biYlg6JlOKtL7gpXRd deFDLHtAYeJKDwth1SEtg7AU9clFs1EMZoKmGAcGVBgQaSbhbx0H3//+jNg3eauV MKxf1vL8ZYE= =RVNS -----END PGP SIGNATURE-----