Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Apple Businesses

Apple's Response to "Denial of Service" 70

carbondave writes "Apple has made an update for Open Transport and it is currently available for download at Apple's website. Here is the contents of the read me that comes along with it. OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS) issues. " This is a follow-up to yesterday's coverage of OS9 machines being used in DoS attacks.
This discussion has been archived. No new comments can be posted.

Apple's Response to "Denial of Service"

Comments Filter:
  • i guess the best hoaxes are the ones that companies release patches for?

  • by _GNU_ ( 81313 ) on Wednesday December 29, 1999 @03:14AM (#1436816)
    Apple got it out about an hour after the slashdot post, very good compared to "other" software companies..
  • At Apples Website:

    Description
    OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS)
    issues.

    It appears that dling and intstalling the patch would prevent the Mac from being able to do a DOS. That function could come in useful someday... unless it closes a security hole in the Mac, why bother to get it. It simply limits the capabilities of the Mac (while running OS 9).

    Hmmm... patches like this are somewhat useless unless:
    A: The patch protects the Mac from getting attacked by a DOS.
    B: People are stupid enough to dl them.

    Am I missing something? This does not make sense why someone would want to prevent there computer from being able to do a DOS - most people want their computer to be safe from DOS - they don't care if it can do one or not.
  • From the Copeland FAQ:

    you may be legally liable for making it possible for a cyber-terrorist to use your computer to attack someone else, if you do not apply the fix and still leave your Macintosh connected to the Internet.

    Leaving an unpatched Mac connected to the internet is like giving a loaded gun to a monkey. Remember there is a "conspiracy to shut down Internet Connections."

    But when, John!? When? Christ almighty tell us when this dreaded attack will take place!

    Zero-hour is probably New Years Eve, EST.

    Somebody's been sniffing the old Maser a bit much lately.

  • by jd ( 1658 ) <`imipak' `at' `yahoo.com'> on Wednesday December 29, 1999 @03:19AM (#1436819) Homepage Journal
    • Run a global "Apple Network Stack Upgrade Compliance Test", to see which users have upgraded, on December 31st, at 23:59:59
    • Modify the super-huge ICMP packet to only affect Winsock 2.0 systems
    • Turn it into a promotion gimic ("Our Packets Are Bigger!")
    • Sell Apples as Network Stress-Testing Tools
    • Point out the cost-savings ("Crackers costing you millions? Buy Apple and DoS your own network for free!")

    Seriously, it's great to see a commercial company actually respond to a serious software fault, rather than blame the user, the competitors, the media, or the small furry creatures from Alpha Centauri who have been helping with the debugging.

  • 100 bugs in the code,
    100 bugs in the code,
    Squash a bug, type "make all",
    ...
    101 bugs in the code,
    101 bugs in the code...

    Sorry, I haven't woken up yet.

    Kaa
  • It could be possible that Apple released their patch because they did not want to be held as responsible in case this was really put to use. They also could have released it in order to decrease network bandwidth use by the systems themselves (1500 bytes does add up after a while.)
  • There is also a CERT advisory covering this and a few other DoS's (i.e. TFN2K). The CERT advisory is available at http://www.cer t.org/advisories/CA-99-17-denial-of-service-tools. html [cert.org].

  • by Anonymous Coward
    available at (816) 246 6160
  • I'll repeat a quote from mentat.com [mentat.com] that I saw in yesterday's discussion:

    MPS is the native STREAMS on Apple Mac OS, Novell NetWare, Wind River VxWorks,Hewlett-Packard HP-UX, IBM AIX, Digital UNIX, and other many leading computer and embedded operating systems.

    According to available info, MPS is where the Mac Attack exploit was found. What other systems will also amplify similar packet attacks?

  • That's exactly the stupid-ass attitude that makes it possible to run smurf attacks against people, still ...

    "why should I turn off directed broadcast?? What difference does it make if my network is used to destroy someone else's connectivity?"

    Shit, I'll tell you why you should apply the patch. Eventually, ISPs are just going to blackhole the networks that source denial of service attacks, because eventually it is your responsibility for being vulnerable, rather than the attacker's responsibility for exploiting you.

    Purchase clue.

  • by Zigg ( 64962 ) on Wednesday December 29, 1999 @03:27AM (#1436826)

    I would wager by the fact that it's been confirmed by Apple labs and is detailed in a PGP-signed CERT advisory [cert.org] that you can stop calling it a hoax now.

    Normally people do things like prove that vulnerabilities do not exist (by testing or by intimate knowledge of the way a system is designed) before calling them hoaxes. Since I had no access to MacOS 9, and no verifiable sources were saying that it was a hoax, I was definitely not going to propagate that rumor.

    Security problems are real. Let's help them get solved instead of shooting off our mouths.

  • Hmmm... patches like this are somewhat useless unless:
    A: The patch protects the Mac from getting attacked by a DOS.
    B: People are stupid enough to dl them.


    Don't you mean smart enough to download them? If you're not smart enough to get patches for your favourite OS, then you have a problem.

    most people want their computer to be safe from DOS

    Ergo this discussion of MacOS :-) DOS is such an evil bastarization of CP/M and Unix(r).

    At least this security problem was redressed quickly. There was no "force closing of apps" patch for the logout problem [securityfocus.com] mentioned on BugTraq [securityfocus.com], nor one for the MacOS 9 weak password encryption [securityfocus.com].
    ---
  • Well, for one thing applying the patch does protect you against the DoS. Remember that this attact is something like a combination of a Smurf and a Ping of Death attack. The ICMP response that the Mac OS 9 machine generates is 1499 bytes of payload. Add any sort of headers and this thing is bigger than the MTU of a standard ethernet frame.

    So if you wanted to use this to really cramp the style of someone with a spiffy new G4, you would send the request packet and forge the source address to be the victim's own address. Even better, set the source address to be the broadcast address on the victim's LAN.

    I suspect this could cause some serious havoc in a lab full of iMacs. Even worse, the new iBooks now ship with Mac OS 9. I hate to think what this kind of DoS could do to a large wireless LAN.

    Just download the patch. Think of it as just one more extension in a bloated system folder. And just think, with OS X client, you won't have to fool around with extensions anymore.
  • Or, Apple could have released this patch to look good. PR is extremely important, especially in tech industries. When computer-illiterate people want answers to tech questions, they usually ask their "resident geek" - a kid who knows what he's talking about. If that kid reads Slashdot (as any self-respecting resident geek should), his answer to "Is Apple security-conscious?" will probably have a lot to do with the stories he sees here and elsewhere. Eventually, every software company in the world is going to figure out that if they look good to Slashdot, they'll be more successful. Hopefully, that will mean actual improvements in quality. So, yeah, maybe this is a Good Thing.
  • Apple is definitely to be commended here. I just hope that where MacOS 9 is deployed, the system owners will respond as quickly in updating their systems. I suspect the knowledgable network admins probably will. The earlier comment [slashdot.org] about liability scares the shit out of me but might be a good motivation.

  • Doesnt seem like Apple is advertising this in any way, so it's only the 24/7-news-reading ppl who will update, at least for now..
    But MacOS 9.0.1 is on the way, and that should contain the patch and be vide spread..
  • Of course you are DoS'd if someone uses up all your network bandwidth, even if your computer doesnt crash, you are still beeing DoS'd.
  • Thanx for the info. I don't use a Mac (unless at parents house) so I am a little clueless about them. Mainly I run NT (at work). As I work a computer programmer for Honeywell we only upgrade after a patch has been out for at least a couple months (so the patches for the patches are out - for ex. we only just recently got Office 97) only our coding software is up to date. But one of my parents has a G4 - I work on it sometimes.

    Having to use Win based systems, generally I don't trust patches because they are always faulty... but the post clears the issue up.
  • why someone would want to prevent there computer from being able to do a DoS ?

    Umm...because we're responsible Netizens? Because less network abuse overall implies less network abuse affecting me, my family & my colleagues? I suppose you also ask why guns should have trigger locks, since that limits their ability to do certain things (e.g. kill people).

    Altruism aside, if my Mac is putting out fewer garbage packets, then there's more bandwidth available for things that I want to do. Also, if Macs are less attractive to malicious crackers, then that's A Good Thing for several easy reasons.

  • Yes you missed something...
    This dosn't stop the user [guy behind the keyboard] from doing a DoS... it dosn't even slow him down...
    What this dose is prevents a third party [not the guy behind the keyboard] from using the Mac for a DoS.

    So this DOSE close a security hole in the system.. it dosn't let them do anything sereous to the victom computer but it dose allow a script kidding to use a victoms Mac to mount an attack on an unsuspecting target
  • It's not the same one, the "OT Tuner" that has been out for a while is configurable, this one isnt.
    Maybe it's possible to use the old "OT Tuner" to remove the DoS problem too, not sure..
  • Sorry I was a little harsh. It gets real nasty when you have to chase a DOS attack all over your backbone trying to find out where it is coming from .... plug one hole, open up another. It is a touchy subject.

    The smurf problem illustrates nicely ... there is one line on a Cisco that fixes smurfs entirely. Go to the console, configure ethernet interfaces, and type "no ip directed-broadcast", and smurfs are no longer capable of being amplified from your network. If you search the 'net, however, you can find lists of networks which haven't taken the simplest measures to protect others from their misconfigurations.

    The distributed network attacks are a new danger. Rather than protecting others from DOS by securing your network border, now you have to secure each internet accessible machine in order to avoid being used as an attack platform. This seems to me to require much more attention from users, rather than network admins, and so it is very necessary that people understand what their lack of a patch can do to someone else. It is really an issue of education, and the education is severely lacking.

    Cheers.

  • Eventually, ISPs are just going to blackhole the networks that source denial of service attacks, because eventually it is your responsibility for being vulnerable, rather than the attacker's responsibility for exploiting you.

    IIRC, haven't initiatives to blackhole smurf amplifiers been around for awhile? I think the threats certainly got a lot done; but an ISP, unless they are having serious troubles, has to contend with their stupid user base first complaining about not being able to access such-and-such a site.

    The same problem exists (regrettably) with spam. I would LOVE it if ISPs everywhere could run MAPS on their servers, but they just can't, because the stupid user base would scream bloody murder, not understanding the implications. Any kind of filtering, no matter how intelligent, is going to block legitimate mail as well.

  • by imac.usr ( 58845 ) on Wednesday December 29, 1999 @04:02AM (#1436843) Homepage
    I did, with ResEdit...this is a very odd extension. The 'INIT' resource appears to contain just raw data instead of typical INIT code. There are also ASCII names of several Open Transport routines (presumably, the ones being patched). But why put this into an INIT which can be disabled via Extensions Manager? Why not do what they did with the Font Manager Update for 8.6; patch the Extensions Manager prefs so that this obviously important piece of software can't be disabled easily? The code should be similar to the FMU code, so it souldn't be that hard to implement. Either that, or set it up as a 'scri' file, so it can't even be seen by EM (although it would then load before OT does, so maybe that's not such a good idea).

    Also, as of this morning, this was still not available via Mac OS 9's built-in Software Update. I hope we aren't expected to all know to go to Apple's site and download the patch ourselves....


  • by DonFreenut ( 130669 ) on Wednesday December 29, 1999 @04:03AM (#1436844) Homepage

    I find any Slashdot coverage of DOS issues vaguely ironic, as the Slashdot effect is probably responsible for more DOS attacks on web servers than any other person/group/effect. It's especially funny because the targets of these attacks are supposedly sites of interest to the attackers. It's kind of like one of the web-defacement groups DOS-ing attrition.org, or something.

    That's not to say that I'm going to stop participating in the daily massive distributed DOS attempts. No one ever said the Internet was a republic.
  • Eventually, every software company in the world is going to figure out that if they look good to Slashdot, they'll be more successful.

    While I don't contest that ``looking good to /.'' is usually a good thing, I don't think the sheer act of pleasing the populace here is necessarily a winning situation in all cases. Let's face it, /.ers (myself included) don't always take the reasonable course.

  • Wrong:

    A CERT advisory takes a few weeks to prepare. And CERT always warns the vendors first and waits until they develop a fix and send it out to all their branches and support contacts.

    So it is least likely that Apple just got it out yesterday. It is possible that the release day was shifted but there is a 99% probability that the fix was already developed and just waiting until all Apple distributors have it.

  • Usually only Open Source-based products get patches that fast. Not only is Apple's Open Transport not Open Source, it's licensed from a third party to boot. Even though OT is pretty easy to tweak, it's still impressive that Apple did the Right Thing so fast.

    I'm sure there were script kiddies out there hoping to exploit this particular hole - but I have my doubts about the "Y2K/black helicopters" scenario that the fellow who spotted this bug seems to believe is imminent...

    - -Josh Turiel
  • Many people should care if their Mac (or other computer) is able to do a DOS, especially when the feds knocks on their door because they are flooding a govt site.

    Picturing it.... Haapless user is downloading a Quicktime... suddenly the download slows.. user thinks "oh the net is slowing down again" figuring the bandwith between her mac and the website is narrowing... A rather smart presumption for any user to make and Mac users (to spite myths) generally are smart...
    But this isn't what is happening...
    Instead some script kiddy is sending costum UDP requests to the victoms Mac to have the Mac send larg packets to old_pathetic_system.bigbrother.gov.
    User chouses to make the most of it.. after all the user is FTPing the Quicktime for local playback.. Shure she could stream it directly using her Cable modem but she chouses to have it stored on her hard disk so he can view it at her lesure...
    So now that everything is SO SLOW she picks up her stuff and heads over to Pizza hut and orders a nice x-larg pizza. Everything should be done by then.
    She comes home [having stuffed herself with pizza] to find 3 government agentcys climbing over her appartment...
    But the good news is.. sence she wasn't home and the script kiddy was going to keep it up for as long as the Mac was on-line they hunted down and cought the real attacker.
    However that hasn't prevented anyone from smashing open the door to her appartment and screwing up her download...
    Before she downloads the quicktime again however.. she makes a quick trip to Apples website to download the patch.. becouse she is after all.. a rather smart person... She just isn't a computer expert...
    In the mean time she sues 3 government agentcys for damages to her place... sues the script kiddy for involving her in his pathetic sceams.. and watches her quicktime while munching pizza.
    Oh yeah and she clues in a government waist advocacy group about old_pathetic_system.bigbrother.gov and they have it taken down only to be replace by new_pathetic_system.bigbrother.gov...
  • Normally people do things like prove that vulnerabilities do not exist (by testing or by intimate knowledge of the way a system is designed) before calling them hoaxes.

    you know, maybe in a perfect world that's true, but not in the world that apple users have been given [apple.com].

    so, Zigg, please try to stay on topic within threads. giggle!

  • Also theres the plus side of not having your account closed for being the source of a DoS attack... violating your ISPs ToS..
    And all that explainning to non-tech legal experts how you arn't responsable and that it's just a defect in your computer...
  • ...and you'd be right. I installed the patch on my iBook late last night. This morning, my wife dials in and TCP/IP doesn't work at all. I had to toss the patch extension to get things to work again. This is apparently a common problem; similar reports are on http://www.macintouch.com/. I expect a revised patch will be released soon...

    I don't mind so much right now with a variable IP and dial-in networking, and I suppose that being behind an Airport will protect us when we're back home with the cable modem.
  • most people want their computer to be safe from DOS

    Ergo this discussion of MacOS :-) DOS is such an evil bastarization of CP/M and Unix(r).


    DOS = Denial Of Service, not Disk Operating System
  • Since we're apparently battling with semantics here, let me point out that Mr. Phelps was giving a very noncommittal answer (``smells like a hoax'') rather than calling it an outright hoax. It wasn't too smart of him; but he did at least partially do The Right Thing(TM).

    In any event, your first post sounded to me like you were propagating the myth that it was indeed a hoax; I would have qualified it a little better. For the misunderstanding, I apologize.

  • Looks like if you install Apple's patch, you might lose your networking ... especially if you use their Airport wireless network. Check out:

    http://www.macintouch.com/macattack.html [macintouch.com]

    for details.

    -matt

    ---
    Wha? TV & Movie Theme Songs? Oh yeah....

  • Yeah, I have blackholed selected IPs, but only for short times under extreme circumstances. The idea of a real blackhole, where you have to remedy the problem before you are let back in the routing tables, hasn't caught on yet. :(

    Perhaps the distributed DOS trend will help generate the need for some kind of structured blackhole process by which the offending network/user can be informed, and the blackhole reversed when security problems are fixed.

  • no probs on any mac I've installed it on, no airport though...

    Well, if the network is behind a firewall (which most Airport networks are), the patch isnt needed.
  • (or of course not connected to the internet at all)
  • Among its readers' findings:

    OT Tuner disables connections to the 'base station' for iBooks and other AirPort-compatible Macs, and makes TCP/IP connections via Timbuktu Pro impossible.

    OS 9 users may already have a solution on their install CDs, a control panel called "TCP/IP Options" which is unsupported by Apple, but can disable the IP Path MTU Discovery feature that reportedly causes the 'Mac attack.' Apple has a Tech Info Library about TCP/IP Options: http://til.info.apple.com/techinfo.nsf/artnum/n210 75

    Finally, a Mac network software guy said the problem is indeed related to OT using Mentat/TCP 3.5's new method of Automatic Path MTU Discovery. OT previously would set all outgoing datagrams as "Don't Fragment," though OT Tuner changes that. (whatever the hell that means.)

    More is here at http://www.macintouch.com/macattack.html

    J.
  • Gez, NO IT ISN'T. The "1500 byte packet" is the thing being handed to the ethernet driver -- data + UDP header + IP header.

    We just keep breeding better idiots...
  • ..or otherwise crashable using one of the myriad tools available to decimate the Microsoft Windows TCP/IP stack. I have a shell script that I experiment with that runs everything in my "arsenal" when someone tries messing with my machines on the internet. It's successful more than half the time. The simple fact of the matter is that most people don't pay enough attention to the security and integrity updates that OS makers release constantly.

    Think how many UNIX boxes are rootable despite the best efforts of CERT and BugTraq, and these people are supposed to know better! You can thank incompetent and lazy sysadmins the next time your network is the victim of a distributed UDP/ICMP DoS attack. The tools to cause this kind of chaos are becoming more and more widespread (Trin00 and TFN on the UNIX side, and now this Mac-targeted tool), and if you thought Smurf attacks were bad, imagine something that's impossible to stop and just as untraceable rendering your network useless.

    It's a pretty fucked-up situation. And it's not gonna get any better any time soon, I'm afraid.

    - A.P.
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • Actually, if you check Apple's download page, it says that you should install the software if you've got an iBook running 8.6. That's because they included the MacOS-9 version (or at least a succeptable version) of OT (2.5.2, I think) on the iBook and some later iMacs that didn't get MacOS-9

    My wife's iBook has the problem, though it's hidden behind NAT, so it's not an issue.
  • the file date created/modified is Mon, 12/27/99, 12:00AM.
  • Why do people keep calling me and asking me about apples?

    I don't even like apples.

    Pears are cool, though.

    - A.P.
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • This is a trustable patch. First off, I've rarely if ever had a problem with an Apple update. Second, this doesn't even patch any executable code, it just changes a default setting in Open Transport.

    I installed it last night (on a G3/400 on a LAN with DSL access via a gateway), and everything is, as expected, working smoothly.

    --
  • Ok, listen up people, I have a mac, I got the patch, and it didn't do anything but mess up my networking. There's a report [macnn.com] over at macnn [macnn.com] about a bunch of people who wrote in to macnn with the problems they had and how they went away once they disabled the patch. Same thing happened to me.

    I admit that it IS impressive that apple got that patch up so damn fast (like a few hours after the slashdot post), but something is screwy with it. Hopefully 1.1 will come out soon (it was 1.0).

    Anyways, so if you have a mac, dont install it. You'll have problems.
  • you may be legally liable for making it possible for a cyber-terrorist to use your computer to attack someone else, if you do not apply the fix and still leave your Macintosh connected to the Internet.
    IANAL, but that sounds like total crap. Are victims of Melissa legally liable because they "allowed" the virus to propogate to other machines? Copeland did a very good service by identifying this issue, but I think he went a bit overboard with his legal psuedo-threats and Y2K doomsday predictions.
  • From what I was reading about this, they were claiming that a (roughly) 40 byte ICMP query could generate a 1500 byte response creating a multiplier of about 38x.

    I though that the standard ethernet frame size was 1500, and that would effectively make that a 1 to 1 DOS attack. (That is, the multiplier is meaningless because the packets aren't bundled within a frame).

    What am I missing? Can you package multiple packets within a frame? Is that a MAC, ICMP, IP, or TCP convention?

    Thanks!
  • OK.. if you had done your homework here, and looked throught the posts, it seems that everyone who is having this sort of problem is behind thir own firewall (or NAT system), and is therefore totally imune to this form of attack, and, if they had actually read the read-me, were not even told to install this.

    Apple is putting out this patch, and recomending it only to people with dedicated internet connections (large-LAN or CableModemm custiomers), not to people with AirPort, or other Modems... I do agree that it should not affet these customers, but what do you expect for shoot-from-the-hip solution. If you are not affected, take the extension out of your system folder, and forget about it... when 9.1 comes out, this will be completely taken care of...
  • D'oh! I just looked at it again more closely; there's the 'Joy!' identifier...PowerPC native code.

    Sigh. Never mind. :-[
    (See, that's what you get for always building homemade INITs as 68K code segments!)

  • DoS = Denial of Service
    DOS = Disk Operating System eg: MessDOS
  • by Anonymous Coward
    ...years ago that it's Apple's policy to first release a patch as an extension or plug-in, or whatever. Then, when it's sure it does what it is supposed to do, it'll be integrated or patched into the system files completely. Whether or not this DOS is serious, Apple released the extension very quickly. I suppose they didn't have time to patch the whole OT extension set and check for anomalities. I bet the patch will be fully integrated into the coming MacOS 9.1.
  • i installed it cuz i have a cable modem, and os9. i have taken it out of my system folder, cuz a) i realized i dont really care about the issue and b) it was messing shit up.

    i was just telling people what i had discovered myself and from other reports at macnn..
  • You must have missed the sentence where the Apple Tech Support guy says, "I'm not saying it is indeed a hoax, I'm just saying don't put a lot of validity to it until we know more."
  • humour.lost = TRUE;

    Sigh.
    ---
  • this smart mac user you are describing seems to be Laura Croft?
    Hehe.. a 3D first person shooter carricter is a Mac user? I kinda presummed she was a Play station coder...

    Accually no.. It's sort of a composit of two Mac geeketts I know..
    A Web Deva and a Unix deva
    The Web Deva edits web pages on the Mac (Note pad and kick butt graphics editing)...
    The Unix deva turns old Macs into Unix servers.. she needs only one Mac but has no end of need for Unix servers and finds herself allways upgrading her Mac.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...