The "Mac DoS Attack," a Scheme for Blocking Internet Connections

By John A. Copeland
Professor, Georgia Tech ECE
Atlanta, GA 30332-0490

(Written 12/22/99 - see FAQ and Probes for updates)

 

As part of my ongoing research on Internet data communications and cable 
modem operations, I have been using a second computer to monitor the data 
packets that travel between a cable modem and an Apple Macintosh computer.

 Internet <---> CATV coax <---> Cable Modem <---> Macintosh Computer
                               or ADSL Modem  |
                                              V
                                       Monitor Computer
                                           
I noticed some unusual packets that were causing an unexpected response
from my Macintosh.  These UDP packets were only 29 bytes (characters) long,
but they caused my Macintosh to send back a 1500 byte packet. This
returning packet was an Internet Control Message Protocol (ICMP) type. 
This type sometimes has priority over the TCP and UDP packets that carry 
data from computer to computer over the Internet.  Over the period Nov. 28
to Dec. 22 I saw these packets on five occasions.  The first three came
from Italy, AOL, and Saudi Arabia.  The latter two came from the same computer 
in the Arab Emirates.
 
These packets were "crafted," which means the data in them was not normal.
The first three had source and destination port numbers (UDP addresses)
fixed at 31790 and 31789.  These numbers are normally random between 1024
and 65,565.  The latter two had identical source and destination port numbers
of 60,000 and 2140.

I developed a concept of how these probe packets could be used as part of a
scheme to shut down organization's connections to the Internet. To prove
its feasibility, I successfully wrote and tested programs to
implement it as described below. 

The purpose of this scheme, which I call a "Mac DoS Attack," is to generate
a large amount of ICMP Internet traffic going to a specific target. This
scheme can be replicated to attack many different targets, with little chance 
that the perpetrators will be caught. 

Phase I - Scanning

The attackers run computer programs that sends UDP packets to every 
Internet address in the address ranges assigned to CATV cable modem 
and ADSL modem providers.  Addresses that have Macintosh computers 
attached and operating will respond with a 1500-byte ICMP packet.  
These addresses are kept in a list for Phase 2.  I will refer to the 
Macintosh computers at these addresses as "slaves."

Phase 2 -  Attack

A computer at a location like a University is "root compromised." 
This means the aggressor group has used one of the many well-known
techniques to gain the administrator password so they can load their own
programs, which may be scheduled to run at a later time (like Christmas
Eve or New Year's Eve).  The compromised computer is given a list of
addresses for 40 slaves, and the address of a specific target.  The log
files are erased so that no one will later be able to tell who
installed the attack program.

When the attack program starts running, it sends trigger packets in
rotation to the forty or more slaves on its list.  The source (return) 
Internet address is forged to be that of the target.  The slaves then send
a 1500 byte ICMP packet to the target each time they receive a 40-byte
trigger packet.

If the attack computer sends 4000 40-byte trigger packets per second
(bit rate less than 1.3 Mbps), the slaves will send 4000 1500-byte packets
to the target (bit rate 48 Mbps).

                 |-------------> Slave ------------>|
Control          |-------------> Slave ------------>|
Computer ------->|-------------> Slave ------------>|-------> Target
                 |-------------> Slave ------------>|
                 |               * * *              |  4000 1500-byte
 4000 40-B pkt/s  100 40-B pkt/s     100 1500-B pkt/s    ICMP pkts/s
                   to each slave      from each slave   = 48 Mbps
                   
   This figure shows the process of "byte amplification."
                                                   
The target organization (or organizations) is cut off from the Internet
because it's connection, a 1.5 Mbps (million bit per second) T-1 or a
45 Mbps DS-3 digital line is swamped with ICMP packets from forty
different sources.  Note that 30 different T-1 connections could be
swamped by varying the return addresses in the trigger packets).

Recovery

The FBI would have to approach the CATV company to get the owner's
names and addresses at the forty computers sending ICMP packets to the
target.  Once a slave is located, the trigger packets are examined, but
from the Internet source address they appear to be coming from the target. 
Tracing  packets with a forged source address) back through the Internet 
is  practically impossible.  To stop the attack, most of the slaves would
have to be shut down.  Their owners would not be aware that their
Macintoshes were be being used to participate in the attack.

After a long delay, the attack computer might be located.  There would
be no record of who installed the attack program, which may even have
have erased itself.

Is this scenario likely?  

I can think of no other purpose for the five probing UDP packets I have
detected, four of which came from outside the country.

In scanning the Georgia Tech network with these particular UDP packets,
no computer had an unusual reaction, except the newer OS9 Macintoshes.
Since there are many different types of computers on this network,
it indicates that this type of scan was designed to spot the OS9 Macintoshes. 

To verify that the entire scheme is feasible, I have written a computer
program that scans for OS9 Macintoshes, and have used another program to cause 
just three such Macintoshes to flood an Internet address on another network 
with over 1 Mbps of ICMP packets as described above.

Prevention

People who own OS9 Macintosh computers connected to high-speed Internet
connections, such as a cable modem,an ADSL modem,or a corporate LAN,
should turn off those computers, or disconnect them from the network 
when they are not actively using the network connection.  

Apple Computer was informed on Dec. 22 of the "unintended feature" in 
the Macintosh Internet protocol software, and developed a preliminary
patch, the "OT Tuner," on Dec, 24. It was released to the public on Dec.28.
OS9 Macintosh owners should install this  OT Tuner as soon as possible.  

Many organizations now discard incoming ICMP Echo-Request packets at
their Internet Firewall (to keep hackers from scanning their network). 
This will not stop the UDP scanning packets described above, and will
not protect them if the incoming ICMP packets jam their connection.
 
The Internet Service Providers (ISPs) must take action to drop long ICMP
packets in the backbone networks (any packet longer than 1499 bytes, at
least).

This article omits an essential detail about the trigger packets, so it
is not a recipe someone could use for implementation.  

Contact Information

The Georgia Tech network is being shut down over the Holiday break, so
my normal email address and Web page may not be available.

Please send email.  I will check voice mail left at my office: 404 894-5177.

Please send email to: jacopeland@mediaone.net

The Web site to be used while the Georgia Tech network is down:
http://people.atl.mediaone.net/jacopeland
For my biographical information see:
http://people.atl.mediaone.net/jacopeland/jac_bio.html

Georgia Tech Web Page (please use if available): http://www.csc.gatech.edu