Stealth Computing Abuses TCP Checksums

Tim May tcmay at got.net
Sun Sep 2 09:37:03 PDT 2001


On Sunday, September 2, 2001, at 09:23 AM, georgemw at speakeasy.net wrote:

> On 1 Sep 2001, at 1:38, Dan Geer wrote:
>
>> .     "Below, we present an implementation of a parasitic computer
>> .     using the checksum function.  In order for this to occur,
>> .     one needs to design a special message that coerces a target 
>> server
>> .     into performing the desired computation."
>>
>> This is the same principle that underlies denial of service
>> attacks -- the irreducible residual vulnerability of a system
>> to denial of service is proportional to the amount of work (or
>> time) that system must do (or consume) before it can conclude
>> its initial authorization decision.  Ironically, the more
>> precise and complex that authorization decision process, the
>> greater the amount of work that the active (initiating) side of
>> the connection can call on the passive side to perform.  This
>> critically bears on protocol and application security design.
>>
>> --dan
>>
>>
> Since I haven't noticed anyone else point this out (apologies for
> my redundancy if I just somehow missed it),  it's worth mentioning
> that the original result was more of a "gee whiz,  it's interesting we
> can do this in principle" type of thing than an actual threat of
> something anybody would ever actually do. Yes, you can trick a
> remote host into performing calculations for you with a specially
> prepared message, but it requires a hell of a lot more effort to
> prepare the message than it would to perform the calculation
> yourself.


Why would you think this is always so?

It would not take much effort to arrange a computation that consumed a 
lot of CPU cycles and returned a result, once one has gotten access to a 
remote machine. The case of the corportate employee using machines he 
could access to compute a screensaver/P2P job for a possible winning 
payoff comes to mind. Granted, he may have had permissions to access 
these machines, but the general point is that someone who got past these 
permissions could have done the same compute-intensive thing.

I see no reason to believe that "it requires a hell of a lot more effort 
to
prepare the message than it would to perform the calculation
yourself."

Sometimes it does, sometimes it doesn't.


--Tim May





More information about the cypherpunks-legacy mailing list