Specially Crafted Packet DoS Attacks, Here We Go Again

One of the unique types of Denial of Service (DoS) attacks involves the usage of specially-crafted packets.  Most cybersecurity professionals are already familiar with volumetric and amplified DDoS attacks, but more recent attention has been surrounding fragmented and application-layer DDoS attacks. However, few understand what a specially-crafted packet DoS attack actually is.

In every type of computing system there are vulnerabilities that exist.  When a cybercriminal takes advantage of a vulnerability (which is called exploiting a system) numerous unwanted activities may develop, including Remote Code Execution and Denial of Service Condition.

These two types of vulnerabilities are quite different in their nature.  Remote Code Execution exploits poorly written code - most often for data exfiltration, while Denial of Service Condition takes advantage of protocol and application weaknesses to take systems offline.

Microsoft’s latest update, addressed a vulnerability that could cause a denial of service condition if an attacker sends a sequence of specially-crafted packets to a vulnerable application.  Below is a screen shot of the security bulletin.

Microsoft Security Alert

On June 10, Microsoft announced another denial of service vulnerability - Vulnerability in TCP Protocol Could Allow Denial of Service and yet another on May 13 - Vulnerabilities in iSCSI Could Allow Denial of Service.  Unfortunately, these types of vulnerabilities are becoming increasingly commonplace.

For example, if you go to the United States Computer Emergency Readiness Team (US-CERT) website and search for the terms “Cisco IOS Denial of Service”,the search returns 4910 results.  Many are advisories related to denial of service vulnerabilities using specially crafted packets against Cisco IOS.

If you search for “Juniper Denial of Service”, the search returns 29 results.  Many of the advisories involve the usage of specially crafted packets to create a denial of service condition as well.

Finally, if you search for “SCADA Denial of Service”, the search returns 35 results.

So what are the attackers actually doing when they use this type of attack to take systems offline?  Sometimes it’s as simple as sending the same packet over and over again to a vulnerable system, and other times it’s attackers taking advantage of weaknesses somewhere in the protocol stack.

Back in 2011, the killapache.pl Perl script was released by a security researcher who goes by the name of Kingcope. Killapache.pl sends GET requests with multiple byte ranges that claim large portions of a system’s memory space.  In other words, Killapche.pl is a script that exploits a weakness in the same way certain versions of Apache process specially-crafted HTTP requests.  Eventually, the script is able to take the system offline by consuming massive amounts of CPU.

This type of attack is very effective at causing system crashes and reboots because it consumes as much memory or CPU as possible rather than consuming bandwidth. At the end of the day, this is just another type of denial of service attack vector that enterprises need to prepare for by deploying a proper defense system.

Corero has a long history of protection for these types of attacks and Corero products fully defeat the broad spectrum of denial of service techniques. As a matter of fact, Corero had zero-day protection for the killapache.pl script years before it was released into the wild.

You May Also Be Interested In: