New DOS attack technique: sockstress

The guys from outpost24 are releasing a new tool (sockstress) that exploits problems with TCP state tables. Apparently, you can disable most any windows/linux/firewall box with minimal attack bandwidth (read: cable modem).

According to the podcast,  the tool does “some evil things” during the negotiation of the handshake. It’s definitely not a SYN flood or a SYN cookie.

The attack uses a concept called ‘reverse SYN cookies‘ to encode information about the client’s TCP session in the packets. This allows the attacker to attack without ever keeping track of state. The packets themselves keep track of state and what phase the attack is in.

Approximately 10 packets are needed to disable a single service. No system is known to withstand the attack.

The podcast is the best source of information at this point. (English starts after 5 mins)
More information here:

• http://www.t2.fi/2008/08/27/jack-c-louis-and-robert-e-lee-to-talk-about-new-dos-attack-vectors/
• http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
• http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939