In association with heise online

28 July 2006, 10:11

Sun patches Denial of Service holes in the Solaris network stack.

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

An error in Sun's network stack under Solaris, versions 8, 9 and 10, can be abused to mount a Denial of Service attack. The server gets stuck in a repetitive exchange of TCP ACK packets and also floods the network. This "ACK Storm" condition as described by Sun is caused by the attempt by two vulnerable Solaris systems to agree on correct packet sequence numbers.

The ACK Storm is started by an initial transmission of a TCP package with a wrong sequence number. In response to this, the receiving server answers with a packet containing the expected correct sequence number. In turn, the first server again sends a wrong sequence number, and the process continues indefinately with the exchange of packets developing into an ACK Storm. However, in order to initiate this process, an attacker needs to possess root rights on the initiating system, in order to manipulate packets.

According to information from Sun, this behaviour actually conforms to original RFC specifications. Nevertheless, the manufacturer has made a patch available for Sparc and x86, which limits the number of times a response will be generated to packets with wrong sequence numbers.

See also:

Solaris Hosts are Vulnerable to a Denial of Service Induced by an Internet Transmission Control Protocol (TCP)ACK Storm, the error report from Sun.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit