|
|
This page presents evidence of a vulnability in some recent Macintosh software that could be leveraged by hackers to shut down some Internet Connections.
The scheme involves the use of multiple OS9 (and some OS 8.6) Macintosh computers connected to high-speed Internet connections - cable modems, ADSL modems and corporate LAN connections.
Word of this should be spread so that affected Macintosh owners will install the OT 2.6 upgrade from Apple Computer.
Network operators must learn how to configure their routers to foil this type of attack (Cisco's Task Force has the information and is working on it).
Atlanta Journal-Constitution article, and Fox News Network report (Quicktime movie: play), 12/29/99.
UDP "00" (double-0) probes continue. (1/6/00)
Attacks that are not Mac DoS Related (1/7/00)
A MacOS9 user says he was falsely accused of attacking the network DNS and lost his cable modem and TV service. He thinks his Mac might have been used for an indirect attack but can not prove it. This sort of thing that could happen, and is a compelling reason for Mac OS9 users to install the OT 2.6 upgrade. (1/4/00)
If the light on your cable or ADSL modem starts blinking continually, then your OS9 Mac may be helping to attack someone. If you are attached to a local area network, you may not be able to tell. Install the OT 2.6 upgrade from Apple.
As a general good practice, turn off any personal computer or disconnect from the cable or ADSL modem when you are not using it. LAN users are hopefully behind a good firewall and Intrusion Detection System. My cable modem address is probed several times a week by people looking for a computer that can be compromised. Except for the indirect D0S attack which is eliminated by the OT 2.6 upgrade, I do not know of any dangers to an Apple Macintosh, but new ways to break into other computers are revealed every week (see CERT, SANS, and ISS).
Open Transport version 2.6 is now available (1/5/00). I have not heard of any problems. Please install it.
The "Mac Flood Attack," a scheme for Denial of Service attacks on Internet connections (12/22/99).
Frequently Asked Questions (Q&A)
Smuft vs. Mac Dos Attack - The defense against Smuft will not work against Mac DoS.
UDP Probes of two types, "A" and "00" (double-0) Probes 1-3 had data "A" and ports 31789-31790. Probes 4-7 had data "00" and ports 60000->2140. The former came from Saudi Arabia, Italy, and AOL. The latter came from the Arab Emirates, Turkey, the U.K, Hawaii and New Jersey.
Mac Attack Scan and Attack Experiment
Email Received, Discussion (12/30/99).
Computer Emergency Response Team (CERT CA 99-17, Dec.28, 1999)
The SANS Institute (12/28/99)
Apple - "We've reproduced the problem in our lab and we are working now to create a fix that can be easily distributed to our customers. The problem only affects customers running our most recent release of networking software on machines that are continuously attached to the internet." - email to CERT, 12/27/99. The "first patch," called the "OT Tuner" was available on 12/28/99 but had problems reported (12/30/99) for users with changing IP addresses (DHCP with no long-term lease). The Open Transport v2.6 upgrade became available 1/5/00 and the URL was listed on the Apple Software Upgrade list, so Apple apparently believes this is the final solution. This was an unusually fast response considering all the testing that had to be done.
Mac Resource - http://www.macresource.com/
CISCO - Responses, General Internet Advisories
MacInTouch.com has a good update on problems found with the OT Tuner v1.0 (12/30/99)
Apple: 1500-byte ICMP Echo-Request packets and explanation of what they are.
Local copy of Peter Sichel Letter (to MacIntouch.com) explaining Route Discovery.
MacWeek.com - good coverage
Slash Dot (Computer-phile Web Page) http://slashdot.org/articles/99/12/28/146258.shtml
PGP Public Key (for encrypting email to me, and verifying email from me)
Links to pages with information about Internet attacks:
Computer Emergency Response Team (CERT), (CA 99-17, Dec.28, 1999)
SANS Institute
Forum of Incident Response and Security Teams (FIRST)
I'm getting email questions about Mac security products. Here some possibilities for you to look into (no endorsement implied):
How do you watch what's going across your network? I use "tcpdump", a free program for Linux. Mac programs that have been suggested by Eric Belsley are EtherPeek (packet sniffer) and OT SessionWatcher (text representations of OT TCP/IP streams). The latest version of WhatRoute (1.6) also has a monitoring capability.
This won't help the current problem, but OpenDoor just announced an additional security product, the DoorStop Personal firewall. DoorStop adds IP-address-based security not just to ShareWay, but to all TCP/IP services on a particular machine. It's especially targeted at Mac OS 9's new services, and at any end-user Mac that's connected to the Internet 24 hours a day, such as through a cable or DSL modem or an intranet. http://www.opendoor.com/DoorStop/
See what Sustainable Software is doing these days, http://www.sustworks.com/
Personal comments on Macintoshes and Cable Modems - two good technologies.
(note: Georgia Tech's network will be shut down from Dec. 30 until Jan. 4, 2000)
Web Site for the ECE Communications Systems Center
Web Site for EE6086, Cryptography and Data Security, Sum.'99
Web Site for EE4074, Local Computer Networks, Spring '99
Web Site for EE6607, Computer Networks, Fall '99
Web Site for EE3200, Elements of EE I, Fall '97
Notwithstanding any language to the contrary, nothing contained herein constitutes nor is intended to constitute an offer, inducement, promise, or contract of any kind. The data contained herein is for informational purposes only and is not represented to be error free. Any links to non-Georgia Institute of Technology information are provided as a courtesy. They are not intended to nor do they constitute an endorsement by the Georgia Institute of Technology of the linked materials.